CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio’s ‘X-Twilio-Signature’.

When processing media messages, it fetches user-controlled URLs (‘MediaUrlN’ parameters) using HTTP requests that include the integration’s Twilio credentials in the ‘Authorization’ header.

An attacker can forge a webhook payload pointing to their own server and receive the victim’s ‘accountSID’ and ‘authToken’ in plaintext (base64-encoded Basic Auth), leading to full compromise of the Twilio account.

More information : https://www.tenable.com/security/research/tra-2026-22