Platform
other
Component
plunk
Fixed in
0.7.1
CVE-2026-32096 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Plunk, an open-source email platform built on AWS SES. This flaw allows an unauthenticated attacker to craft requests that force the server to make arbitrary outbound HTTP GET requests to any host accessible from the server. The vulnerability impacts Plunk versions prior to 0.7.0 and has been resolved in version 0.7.0.
The SSRF vulnerability in Plunk allows attackers to potentially access internal resources, sensitive data, or even trigger actions on other systems accessible from the Plunk server. An attacker could, for example, scan internal networks for open ports or attempt to access administrative interfaces. The blast radius extends to any service or resource reachable from the Plunk server's network, potentially exposing credentials or confidential information. While the vulnerability requires no authentication, successful exploitation could lead to significant data breaches and system compromise.
CVE-2026-32096 was publicly disclosed on 2026-03-11. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is likely to be medium, given the ease of exploitation (no authentication required) and the potential impact (arbitrary outbound requests). It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32096 is to upgrade Plunk to version 0.7.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing network segmentation to restrict the Plunk server's outbound network access. A Web Application Firewall (WAF) can be configured to filter outbound requests and block suspicious patterns. Additionally, review and restrict the permissions granted to the SNS webhook handler to minimize the potential impact of exploitation. After upgrading, confirm the fix by attempting to trigger an outbound request and verifying that it is blocked.
Update Plunk to version 0.7.0 or higher. This version fixes the SSRF vulnerability in the SNS webhook handler. The update will prevent unauthenticated attackers from making arbitrary HTTP GET requests from your server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32096 is a critical SSRF vulnerability in Plunk email platform versions less than or equal to 0.7.0, allowing unauthenticated attackers to make arbitrary outbound HTTP requests.
You are affected if you are using Plunk version 0.7.0 or earlier and rely on SNS webhooks. Upgrade to 0.7.0 to mitigate the risk.
Upgrade Plunk to version 0.7.0 or later. As a temporary workaround, implement network segmentation and WAF rules to restrict outbound requests.
There is no confirmed active exploitation of CVE-2026-32096 at this time, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the Plunk project's official release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.