{"data":{"id":"37f3e7aa-b0cb-4868-8035-71e6ebe59abb","title":"GHSA-j8cv-x86q-rj85: Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID","summary":"Pipecat's development runner has an unauthenticated WebSocket endpoint (`/ws`) that accepts telephony connections without verifying who is connecting. An attacker can send a fake Twilio handshake message with a call ID they choose, and the server will use its own Twilio credentials to hang up that call, potentially terminating calls on the victim's account. The same vulnerability exists for Telnyx and Plivo telephony providers.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-j8cv-x86q-rj85","publishedAt":"2026-06-18T15:05:17.000Z","cveId":"CVE-2026-54695","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["pipecat-ai@>= 0.0.77, < 1.4.0 (fixed: 1.4.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Pipecat","Twilio","Telnyx","Plivo"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-18T15:05:17.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}