CVE-2026-4984 | THREATINT

Description

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header. An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

PUBLISHED Reserved 2026-03-27 | Published 2026-03-27 | Updated 2026-05-10 | Assigner tenable

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Product status

Default status

unaffected

Any version

affected

References

www.tenable.com/security/research/tra-2026-22

cve.org (CVE-2026-4984)

nvd.nist.gov (CVE-2026-4984)

Download JSON