CVE-2026-4984

Name of the Vulnerable Software and Affected Versions Twilio integration (affected versions not specified)

Description The Twilio integration webhook handler improperly validates requests, accepting any POST request without verifying the 'X-Twilio-Signature' header. When handling media messages, the integration retrieves resources from user-controlled URLs, specifically the MediaUrlN parameters, using HTTP requests. These requests include the integration’s Twilio credentials in the 'Authorization' header. This allows an attacker to forge a webhook payload directed to their own server. Consequently, the attacker can obtain the victim’s 'accountSID' and 'authToken' in plaintext (base64-encoded Basic Auth), potentially leading to a complete compromise of the Twilio account. The API endpoint receiving the forged payload is the webhook handler. The vulnerable parameters are MediaUrlN.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.