Skip to content

Security: SMS and Webhook adapters bind to 0.0.0.0 by default #4260

Open
#35206
Open
Security: SMS and Webhook adapters bind to 0.0.0.0 by default#4260
#35206
Labels
P2Medium — degraded but workaround existscomp/gatewayGateway runner, session dispatch, deliveryplatform/smsSMS (Twilio) adapterplatform/webhookWebhook / API servertype/securitySecurity vulnerability or hardening
@stanguzman-ai

Description

@stanguzman-ai
stanguzman-ai
opened on Mar 31, 2026

Description

The SMS adapter (gateway/platforms/sms.py:107) binds to 0.0.0.0:

site = web.TCPSite(self._runner, "0.0.0.0", self._webhook_port)

The Webhook adapter (gateway/platforms/webhook.py:54) also defaults to 0.0.0.0:

DEFAULT_HOST = "0.0.0.0"

This exposes these services to the local network (and internet if port-forwarded).

Expected Behavior

Both should default to 127.0.0.1 (localhost only). Users who need network exposure should explicitly set host: "0.0.0.0" in their platform config.

The API server adapter already does this correctly:

DEFAULT_HOST = "127.0.0.1"  # api_server.py:45

Suggested Fix

  • sms.py: Change "0.0.0.0" to config.extra.get("host", "127.0.0.1")
  • webhook.py: Change DEFAULT_HOST = "0.0.0.0" to DEFAULT_HOST = "127.0.0.1"

Version

v0.6.0 (v2026.3.30)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Medium — degraded but workaround existscomp/gatewayGateway runner, session dispatch, deliveryplatform/smsSMS (Twilio) adapterplatform/webhookWebhook / API servertype/securitySecurity vulnerability or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions