CVE-2026-45755

Name of the Vulnerable Software and Affected Versions Mailtrap mailer bridge versions prior to 7.4

Description The webhook request parser used to authenticate and decode event callbacks fails to verify the X-Mt-Signature HMAC header. Specifically, the doParse(Request $request, #[SensitiveParameter] string $secret) function receives the configured webhook secret but does not utilize it, returning the payload unconditionally. This allows an attacker to submit forged event payloads to the webhook endpoint, potentially leading to delivery-metrics fraud and suppression-list corruption.

Recommendations Update to version 7.4 or later to ensure the doParse() function verifies the X-Mt-Signature header using a constant-time comparison.