CVE-2026-48063: Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload

June 10, 2026

Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake messages.upsert event with a fake message key and payload. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key shares, and also allows for history sync spoofing which also serves the same problem, injecting fake previous context or “on-demand” sync.

References

github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35
github.com/WhiskeySockets/Baileys/security/advisories/GHSA-qvv5-jq5g-4cgg
github.com/advisories/GHSA-qvv5-jq5g-4cgg
nvd.nist.gov/vuln/detail/CVE-2026-48063

Code Behaviors & Features

Detect and mitigate CVE-2026-48063 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →