CVE-2026-32096

CVE-2026-32096 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Plunk, an open-source email platform built on AWS SES. The issue resides in the SNS webhook handler in versions prior to 0.7.0. An unauthenticated attacker could send a crafted request that tricks the server into issuing an arbitrary outbound HTTP GET request to any host reachable from the server environment. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), reflecting its critical severity due to high confidentiality impact and changed scope.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to force the Plunk server to connect to and retrieve data from internal or external hosts that are accessible from the server's network context, such as metadata services, internal APIs, or other cloud resources. While the impact is primarily on confidentiality with limited integrity effects, it enables potential reconnaissance, data exfiltration, or further attacks on pivoted internal systems.

The vulnerability is addressed in Plunk version 0.7.0, as detailed in the project's security advisory (GHSA-xpqg-p8mp-7g44) and the fixing commit (b8f1ad9ab53c78f8ef063fdc125f397c8bfc7652) on GitHub. Security practitioners should upgrade to 0.7.0 or later and review webhook configurations to ensure only trusted sources can trigger SNS handlers.