{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pipecat/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pipecat development runner"],"_cs_severities":["medium"],"_cs_tags":["api-security","websocket","telephony","cwe-862","python"],"_cs_type":"advisory","_cs_vendors":["pipecat","Twilio","Telnyx","Plivo"],"content_html":"\u003cp\u003eA missing authorization vulnerability (CWE-862) affects the \u003ccode\u003epipecat\u003c/code\u003e development runner, specifically its telephony WebSocket \u003ccode\u003e/ws\u003c/code\u003e endpoint. An unauthenticated remote attacker who can reach an exposed \u003ccode\u003epipecat\u003c/code\u003e runner can connect to this endpoint, which accepts connections without any authentication. By sending a crafted Twilio WebSocket handshake message containing an attacker-supplied \u003ccode\u003ecallSid\u003c/code\u003e (e.g., \u003ccode\u003eCAATTACKER1337INJECTED00000000001\u003c/code\u003e), the attacker can trick the server. The runner will then issue an authenticated Twilio REST API hang-up request against that \u003ccode\u003ecallSid\u003c/code\u003e using the server operator's own \u003ccode\u003eTWILIO_ACCOUNT_SID\u003c/code\u003e and \u003ccode\u003eTWILIO_AUTH_TOKEN\u003c/code\u003e credentials. Similar vulnerabilities exist for Telnyx and Plivo. Although designed for development and defaulting to \u003ccode\u003elocalhost\u003c/code\u003e, \u003ccode\u003epipecat\u003c/code\u003e runners are often exposed publicly via proxies for telephony provider callbacks, creating a critical attack surface for call disruption and credential abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies an exposed \u003ccode\u003epipecat\u003c/code\u003e development runner with an accessible \u003ccode\u003e/ws\u003c/code\u003e WebSocket endpoint, typically fronted by a public proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an unauthenticated WebSocket connection to the \u003ccode\u003e/ws\u003c/code\u003e endpoint on the \u003ccode\u003epipecat\u003c/code\u003e runner.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted Twilio WebSocket \u0026quot;start\u0026quot; handshake message, embedding an attacker-controlled \u003ccode\u003ecallSid\u003c/code\u003e (e.g., \u003ccode\u003eCAATTACKER1337INJECTED00000000001\u003c/code\u003e) into the JSON payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epipecat\u003c/code\u003e runner, lacking authentication checks, accepts the connection and extracts the attacker-supplied \u003ccode\u003ecallSid\u003c/code\u003e from the handshake message without validation.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003epipecat\u003c/code\u003e pipeline terminates (e.g., via an \u003ccode\u003eEndFrame\u003c/code\u003e or \u003ccode\u003eCancelFrame\u003c/code\u003e), its \u003ccode\u003eTwilioFrameSerializer\u003c/code\u003e (which defaults \u003ccode\u003eauto_hang_up\u003c/code\u003e to \u003ccode\u003eTrue\u003c/code\u003e) automatically triggers the \u003ccode\u003e_hang_up_call()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_hang_up_call()\u003c/code\u003e function constructs a Twilio REST API URL, incorporating the attacker-supplied \u003ccode\u003ecallSid\u003c/code\u003e into the endpoint (e.g., \u003ccode\u003eapi.twilio.com/.../Calls/{attacker_call_sid}.json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epipecat\u003c/code\u003e runner then uses its own configured \u003ccode\u003eTWILIO_ACCOUNT_SID\u003c/code\u003e and \u003ccode\u003eTWILIO_AUTH_TOKEN\u003c/code\u003e (from environment variables) to send an authenticated POST request to the constructed Twilio API URL.\u003c/li\u003e\n\u003cli\u003eThis POST request forcibly terminates the call associated with the attacker-supplied \u003ccode\u003ecallSid\u003c/code\u003e, leading to denial of service or abuse of the operator's telephony account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability, categorized as Missing Authorization (CWE-862), allows an unauthenticated network attacker to remotely interact with an exposed \u003ccode\u003epipecat\u003c/code\u003e development runner. If the runner is configured with live Twilio, Telnyx, or Plivo credentials, the attacker can forcibly terminate active calls by injecting a known or guessed \u003ccode\u003ecallSid\u003c/code\u003e into the WebSocket handshake. This leads to denial of service for ongoing communications and enables the attacker to abuse the organization's telephony provider credentials for unauthorized call-control actions. Organizations relying on \u003ccode\u003epipecat\u003c/code\u003e for telephony integrations that have inadvertently exposed development instances to the public internet are at risk of significant operational disruption and potential compromise of their telephony accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003epipecat\u003c/code\u003e runner deployments\u003c/strong\u003e: Ensure \u003ccode\u003epipecat\u003c/code\u003e development runners are strictly bound to \u003ccode\u003elocalhost\u003c/code\u003e or internal, trusted network interfaces, and are not accessible from untrusted networks, as highlighted in the \u003ccode\u003eOverview\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Monitoring and Blocking\u003c/strong\u003e: Monitor outbound connections from \u003ccode\u003epipecat\u003c/code\u003e runner hosts to telephony API endpoints such as \u003ccode\u003eapi.twilio.com\u003c/code\u003e, \u003ccode\u003eapi.telnyx.com\u003c/code\u003e, and \u003ccode\u003eapi.plivo.com\u003c/code\u003e (listed in IOCs), and implement network filtering or segmentation to restrict such traffic unless explicitly required and carefully configured.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Engineering\u003c/strong\u003e: Deploy the Sigma rule \u0026quot;Pipecat Telephony Runner Outbound Call Control Request\u0026quot; from this brief to your SIEM and tune it to identify anomalous outbound call termination requests originating from pipecat processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:22:33Z","date_published":"2026-06-18T15:22:33Z","id":"https://feed.craftedsignal.io/briefs/2026-06-pipecat-unauth-call-control/","summary":"An unauthenticated remote attacker can leverage a missing authorization vulnerability (CWE-862) in the Pipecat development runner's `/ws` WebSocket endpoint to supply a crafted `callSid` in a handshake message, compelling the server to use its configured Twilio, Telnyx, or Plivo credentials to issue authenticated API requests that terminate active calls, resulting in denial of service and credential abuse.","title":"Pipecat Telephony Runner Unauthenticated Call-Control Abuse","url":"https://feed.craftedsignal.io/briefs/2026-06-pipecat-unauth-call-control/"}],"language":"en","title":"CraftedSignal Threat Feed - Pipecat","version":"https://jsonfeed.org/version/1.1"}