CVE-2026-32096 – An unauthenticated Server-Side Request Forgery ... (How to Fix)

Q: What is the severity of CVE-2026-32096?

CVE-2026-32096 has a CVSS score of 9.3 (CRITICAL). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Plunk's SNS webhook handler allows attackers to make arbitrary HTTP GET requests from the server to any accessible host. This affects all Plunk deployments prior to version 0.7.0. Attackers could potentially access internal services or exfiltrate data.

📋 TL;DR

An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Plunk's SNS webhook handler allows attackers to make arbitrary HTTP GET requests from the server to any accessible host. This affects all Plunk deployments prior to version 0.7.0. Attackers could potentially access internal services or exfiltrate data.

💻 Affected Systems

Products:

Plunk

Versions: All versions prior to 0.7.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Plunk deployment with SNS webhook functionality enabled, which is the default configuration.

📦 What is this software?

Plunk by Useplunk

View all CVEs affecting Plunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker accesses internal AWS metadata service to obtain IAM credentials, leading to full AWS account compromise and data exfiltration.

🟠

Likely Case

Attacker probes internal network services, accesses sensitive internal APIs, or uses the server as a proxy for attacks against other systems.

🟢

If Mitigated

Limited to port scanning internal services if network segmentation and proper AWS IAM policies are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and require minimal technical skill to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.0

Vendor Advisory: https://github.com/useplunk/plunk/security/advisories/GHSA-xpqg-p8mp-7g44

Restart Required: Yes

Instructions:

1. Update Plunk to version 0.7.0 or later. 2. Restart the Plunk service. 3. Verify the fix by checking the version and testing the SNS webhook endpoint.

🔧 Temporary Workarounds

Disable SNS Webhook Handler

all

Temporarily disable the vulnerable SNS webhook functionality until patching is possible.

Modify Plunk configuration to disable SNS webhook handling

Network Segmentation

all

Restrict outbound HTTP traffic from the Plunk server to only necessary destinations.

Configure firewall rules to block outbound HTTP/HTTPS from Plunk server except to AWS SES endpoints

🧯 If You Can't Patch

Implement strict network egress filtering to limit outbound HTTP requests from the Plunk server
Deploy a web application firewall (WAF) with SSRF protection rules in front of Plunk

🔍 How to Verify

Check if Vulnerable:

Check if Plunk version is below 0.7.0 and SNS webhook endpoint is accessible.

Check Version:

Check Plunk configuration or deployment manifest for version information

Verify Fix Applied:

Confirm Plunk version is 0.7.0 or higher and test that SNS webhook no longer accepts arbitrary URLs.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Plunk server
SNS webhook requests with non-AWS URLs

Network Indicators:

HTTP traffic from Plunk server to unexpected internal or external destinations

SIEM Query:

source="plunk" AND (url_contains="http://" OR url_contains="https://") AND NOT url_contains="amazonaws.com"

📊 Metadata

CVE ID: CVE-2026-32096

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-918

Published: March 11, 2026

Last Updated: March 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-32096, you might also want to check these: