A critical authentication bypass in the Plunk platform allows unauthenticated attackers to spoof AWS SNS events and manipulate email delivery workflows.

The /webhooks/sns endpoint does not validate the Amazon SNS signature, certificate, or topic ARN, allowing an attacker to submit forged requests.

This vulnerability allows attackers to manipulate email metrics, unsubscribe users, and potentially exhaust billing credits. With a CVSS score of 9.1, it represents a significant risk to operational integrity and potential financial loss for businesses relying on the platform.

Immediate Action: Update Plunk to version 0.9.0 or later to enable proper signature verification.

Proactive Monitoring: Review application logs for unexpected webhook activity or high volumes of SNS events that do not correlate with legitimate traffic.

Compensating Controls: Use a Web Application Firewall (WAF) to restrict access to the /webhooks/sns endpoint to only traffic originating from verified AWS IP ranges.

Public Exploit Available: No

The inability to verify the authenticity of webhook requests makes this a high-priority update. Organizations should ensure their instance is patched to prevent unauthorized manipulation of email operations.