GHSA-j8cv-x86q-rj85: Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Summary
Pipecat's development runner has an unauthenticated WebSocket endpoint (`/ws`) that accepts telephony connections without verifying who is connecting. An attacker can send a fake Twilio handshake message with a call ID they choose, and the server will use its own Twilio credentials to hang up that call, potentially terminating calls on the victim's account. The same vulnerability exists for Telnyx and Plivo telephony providers.
Vulnerability Details
EPSS: 0.0%
Yes
June 18, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-j8cv-x86q-rj85
First tracked: June 18, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%