CVE-2026-54695 is a high-severity missing authorization vulnerability in pipecat-ai (pip), affecting versions >= 0.0.77, < 1.4.0. It is fixed in 1.4.0.
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who can reach an exposed runner endpoint can connect to this endpoint, send a crafted Twilio handshake message containing an attacker-supplied callSid, and cause the server to issue an authenticated Twilio REST API hang-up request against that call SID using the server operator's own credentials. This may allow the attacker to forcibly terminate an active call on the victim's Twilio account if the attacker knows or obtains a valid call SID for that account. Equivalent unauthenticated call-control sinks exist for Telnyx and Plivo. Maintainers are evaluating the final CVSS 3.1 score. Details The pipecat development runner registers a WebSocket route at /ws (src/pipecat/runner/run.py:1116). When a client connects, the server immediately accepts the connection without performing any authentication or signature verification (run.py:1119): After acceptance, the server reads the Twilio WebSocket stream-start handshake and extracts the callSid field verbatim from the attacker-controlled JSON payload (src/pipecat/runner/utils.py:223): The tainted callid is then passed directly into TwilioFrameSerializer alongside the server's own Twilio account credentials, which are read from environment variables (src/pipecat/runner/utils.py:513-517): TwilioFrameSerializer has autohangup defaulting to True (src/pipecat/serializers/twilio.py:56). When the pipeline terminates and serializes an EndFrame or CancelFrame, hangupcall() is triggered (twilio.py:141-147). This method constructs a Twilio REST API URL containing the attacker-supplied callsid and POSTs to it using the server's own credentials (twilio.py:196, twilio.py:206): The same unauthenticated call-control pattern exists for Telnyx (src/pipecat/serializers/telnyx.py:188, :195) and Plivo (src/pipecat/serializers/plivo.py:180, :187). Although the runner defaults to localhost and is documented as a development runner, its telephony mode is commonly used with a public proxy hostname so that telephony providers can connect inbound calls. If the development runner is exposed to untrusted networks while configured with Twilio, Telnyx, or Plivo credentials, this becomes a realistic network-reachable attack surface. PoC Prerequisites Docker (for building the isolated PoC image) A clone of the pipecat repository at commit b982b45a7ae1e5ee99e4390ad5a116cdd9b4a8e2 placed at <contextroot>/repo/ The files vuln-001/Dockerfile and vuln-001/poc.py present under <contextroot>/ Step 1, Build the Docker image The Dockerfile installs pipecat from the local repository clone, generates a self-signed TLS CA and server certificate for api.twilio.com, and registers that CA in the system trust store so that pipecat's aiohttp-based HTTP client accepts the mock server certificate. Step 2, Run the PoC The --add-host flag redirects DNS resolution for api.twilio.com to the loopback interface so all outgoing Twilio REST API calls hit the mock server instead of Twilio's real infrastructure. What the PoC does Starts a local TLS-enabled HTTP server on 127.0.0.1:443 that impersonates api.twilio.com and records every incoming POST request. Simulates the attacker-controlled WebSocket handshake message with an injected callSid: json {"event": "start", "start": {"streamSid": "MX000...", "callSid": "CAATTACKER1337INJECTED00000000001", "customParameters": {}}} Runs the exact pipecat code path: parses callSid from attacker input (utils.py:223), constructs TwilioFrameSerializer with server credentials (utils.py:513-517), and calls serialize(EndFrame()) which triggers hangupcall() (twilio.py:141-147, :196, :206). Verifies that the mock server received a POST whose URL contains the attacker-injected call SID. Expected output (passing) Observed intercepted request (Phase 2 dynamic reproduction) Decoding the Authorization header confirms ACFAKE000000000000000000000000001:fakeauthtokenpoconly, the server's own credentials were used against the attacker-specified call SID. Impact This is a Missing Authorization vulnerability (CWE-862) in the development runner's telephony WebSocket handling. An unauthenticated network actor who can reach an exposed /ws WebSocket endpoint of a pipecat development runner configured with Twilio, Telnyx, or Plivo credentials may be able to: Forcibly terminate active calls whose valid call-control identifiers are known or obtained on the server operator's Twilio, Telnyx, or Plivo account by injecting the victim call identifier into the WebSocket handshake and then triggering pipeline termination. Cause denial of service against affected calls by repeatedly terminating calls for which the attacker has valid call-control identifiers. Abuse the operator's telephony provider credentials to perform call-control actions that the attacker does not have direct access to, effectively escalating privilege over the operator's telephony account. Impacted parties include operators who expose the pipecat development runner's telephony /ws endpoint on a publicly reachable host with Twilio, Telnyx, or Plivo credentials configured, and their customers whose active calls can be disrupted if a valid call-control identifier is known or obtained by an attacker. Reproduction artifacts Dockerfile poc.py Resolution This issue was addressed in pipecat-ai v1.4.0 by adding optional HMAC token authentication for development-runner WebSocket endpoints. Operators who expose the development runner’s WebSocket endpoints to anything other than localhost should upgrade to v1.4.0 or later and enable WebSocket token authentication: or: When enabled, clients must first call POST /start to obtain a short-lived, one-time-use signed token before connecting to /ws or /ws-client. Tokens may be supplied via Authorization: Bearer <token>, ?token=<token>, or as a path segment such as /ws/<token>, which is intended for telephony providers that cannot set custom headers. Invalid, expired, or replayed tokens are rejected with WebSocket close code 4003. The fix was merged in https://github.com/pipecat-ai/pipecat/pull/4660.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-54695 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.4.0). Upgrading removes the vulnerable code path.
pip
pipecat-ai (>= 0.0.77, < 1.4.0)pipecat-ai → 1.4.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-54695 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-54695 is reachable in your applications. Get a demo
Upgrade pipecat-ai to 1.4.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54695 is a high-severity missing authorization vulnerability in pipecat-ai (pip), affecting versions >= 0.0.77, < 1.4.0. It is fixed in 1.4.0. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-54695 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pipecat-ai (pip) versions >= 0.0.77, < 1.4.0 is affected.
Yes. CVE-2026-54695 is fixed in 1.4.0. Upgrade to this version or later.
Whether CVE-2026-54695 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pipecat-ai to 1.4.0 or later.