Plunk SSRF Vulnerability (CVE-2026-32096) - Update to 0.7.0 [PoC]

Overview

A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-32096, has been discovered in the Plunk open-source email platform. This flaw affects versions prior to 0.7.0 and allows an unauthenticated attacker to force the server to make unauthorized network requests.

Vulnerability Details

Plunk is an email delivery service built on AWS Simple Email Service (SES). The vulnerability resided specifically in its SNS (Simple Notification Service) webhook handler. In simple terms, a webhook is a way for one application to send automated messages or information to another.

Due to insufficient validation of incoming webhook data, an attacker could craft a malicious request that tricks the Plunk server into making an arbitrary HTTP GET request to any other system that the server can reach. This could include internal services within a private network, cloud metadata instances, or other backend systems that are not normally exposed to the internet.

Potential Impact

The impact of this vulnerability is severe (CVSS Score: 9.3). By exploiting this SSRF flaw, an attacker could:

• Scan internal networks to discover and map sensitive, non-public services.
• Access metadata services (like the AWS Instance Metadata Service) to potentially steal cloud credentials and escalate access.
• Interact with internal APIs that trust the server, leading to data theft or further system compromise.
• Contribute to a larger attack chain, potentially leading to a full-scale data breach. For examples of how such vulnerabilities can be leveraged in real incidents, you can review past breach reports.

Since the attack requires no authentication, it is highly exploitable.

Remediation and Mitigation

The Plunk maintainers have released a fix in version 0.7.0. All users must take immediate action.

Primary Action: Update Immediately

• Upgrade your Plunk installation to version 0.7.0 or later. This is the only complete remediation.

Temporary Mitigation (If Update is Delayed):

• If an immediate upgrade is not possible, consider restricting outbound HTTP traffic from the Plunk server at the network firewall level. However, this may break legitimate functionality and is only a temporary stopgap until the patch can be applied.
• Monitor server logs for unusual outbound connection attempts, particularly to internal IP addresses or cloud metadata endpoints.

Stay informed about critical patches and other vulnerabilities by following the latest security news. For any Plunk deployment, applying security updates promptly is essential to protecting your email infrastructure and broader network environment.