| Titel | Mettle sendportal Latest Improper Authentication |
|---|
| Beschreibung | Full technical report, proof-of-concept requests, screenshots, database evidence, logs, and reproduction artifacts are available at:
[https://drive.google.com/drive/folders/1yfzkZGXsP8tS2v3LvMr5vMfhTfURtiS0?usp=sharing]
Title: Unauthenticated Forged SendGrid Webhooks Allow Subscriber Suppression Due to Missing Signature Verification
Vendor: Mettle
Product: SendPortal
Affected Version: Latest
Class: Authentication Bypass / Insufficient Verification of Data Authenticity
CWE: CWE-345 – Insufficient Verification of Data Authenticity
Summary
A vulnerability exists in SendPortal's webhook processing functionality where provider webhook events are accepted and processed without validating their authenticity.
The SendGrid webhook endpoint accepts unsigned requests and processes them as legitimate provider events. An attacker with access to a valid message_id can submit forged bounce events that cause subscribers to be marked as unsubscribed and excluded from future campaign deliveries.
The same missing-authenticity-verification pattern is present in the Postmark, Postal, and Mailjet webhook handlers.
Technical Details
The SendGrid webhook controller processes incoming JSON payloads and immediately dispatches webhook events without verifying SendGrid's published webhook signature.
The affected route is publicly accessible and does not require authentication.
Observed behavior:
* No authentication token required
* No provider signature required
* No shared secret validation
* No provider authenticity verification
A forged bounce event referencing a valid message_id is accepted and processed successfully.
The webhook processing pipeline subsequently:
1. Locates the associated message record.
2. Marks the message as bounced.
3. Updates the subscriber record.
4. Sets unsubscribed_at.
5. Excludes the subscriber from future campaign deliveries.
Observed Database State
Before forged webhook:
subscriber.id = 1
email = [[email protected]](mailto:[email protected])
unsubscribed_at = NULL
After forged webhook:
subscriber.id = 1
email = [[email protected]](mailto:[email protected])
unsubscribed_at = 2026-06-07 16:07:04
unsubscribe_event_id = 1
The application's campaign dispatch pipeline explicitly filters subscribers using:
whereNull('unsubscribed_at')
As a result, subscribers affected by forged webhook events are excluded from all future campaign dispatches.
Expected Behavior
Webhook requests should be processed only after successful verification of the provider's authenticity mechanism.
Unsigned or invalid webhook requests should be rejected before any state-changing operations occur.
Actual Behavior
Unsigned webhook requests are accepted and processed as legitimate provider events, resulting in unauthorized modification of subscriber state.
Impact
* Unauthorized subscriber suppression
* Permanent exclusion of subscribers from future campaign deliveries
* Modification of application state without authentication
* Publicly reachable attack surface
* Integrity impact on mailing operations
Additional Affected Endpoints
The same missing verification pattern was identified in:
* POST /api/v1/webhooks/postmark
* POST /api/v1/webhooks/postal
* POST /api/v1/webhooks/mailjet
Forged subscriber suppression was demonstrated against the SendGrid implementation. The remaining handlers exhibit the same authenticity-verification weakness.
Steps to Reproduce
1. Create an active subscriber.
2. Ensure a message record exists with a valid message_id.
3. Verify the subscriber has unsubscribed_at = NULL.
4. Submit a forged SendGrid bounce webhook containing the valid message_id.
5. Observe successful processing.
6. Query the subscriber record.
7. Observe unsubscribed_at is populated.
8. Trigger campaign dispatch logic.
9. Observe the subscriber is excluded due to the whereNull('unsubscribed_at') filter.
Evidence
The linked report contains:
* Source code references
* Route analysis
* Controller analysis
* Proof-of-concept requests
* Database before/after evidence
* Application logs
* Impact validation
* Remediation guidance
All supporting material is available in the linked report.
|
|---|
| Quelle | ⚠️ https://github.com/mettle/sendportal/issues/340 |
|---|
| Benutzer | Superman_04 (UID 98152) |
|---|
| Einreichung | 08.06.2026 16:43 (vor 1 Monat) |
|---|
| Moderieren | 09.07.2026 07:36 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 377118 [mettle sendportal bis 3.0.1 APIv1 Webhooks sendgrid/postmark/postal/mailjet schwache Authentisierung] |
|---|
| Punkte | 20 |
|---|