CVE-2026-48063

Name of the Vulnerable Software and Affected Versions Baileys versions prior to 6.7.22 Baileys versions prior to 7.0.0-rc12

Description An authentication-bypass-by-spoofing flaw allows a remote unauthenticated attacker to send a maliciously crafted protocolMessage payload via the placeholderResendMessage endpoint. This triggers a fake messages.upsert event containing an attacker-controlled message key and payload, enabling the spoofing of arbitrary inbound messages on a target session. Additionally, this vector can be used to corrupt the app state sync system through forged key shares and facilitate history-sync spoofing, which allows the injection of fake previous conversation context or bogus on-demand sync data.

Recommendations Update to version 6.7.22. Update to version 7.0.0-rc12. As a temporary workaround, drop messages.upsert events that contain a requestId field. As a temporary workaround, disable automatic history sync by setting shouldSyncHistoryMessage: () => false in the socket configuration.