## Critical Signature Bypass Exposes Linear Webhook Endpoint to Unauthenticated Exploitation Under Tailscale Funnel
A P0 vulnerability in the Linear webhook handler permits unauthenticated remote code execution-equivalent access through a signature verification bypass. The flaw, residing in `backend/routers/linear_webhook.py:82-101`, causes the `_verify_linear_signature` function to return `True` when both `signature_header` and `secret` are absent. Combined with public exposure via Tailscale Funnel and a CSRF whitelist exemption for `/api/linear/webhook` in `backend/middleware.py`, the dispatch path becomes accessible to any internet user without credentials.

The vulnerability enables injection of fabricated Linear webhook payloads that trigger `agents.dispatch.issue` envelopes against any repository in the organization. The `_build_dispatch_envelope` function (lines 152-184) processes these requests using Linear-controlled URLs embedded in the prompt, routing them to an agent with push access to the D-sorganization. An attacker can exploit this chain to execute arbitrary commands within the organization's infrastructure without authentication.

The issue, filed as a P0 with parent ticket #304, flags this as a critical public attack surface requiring immediate remediation. Organizations running this codebase should audit webhook signature enforcement, verify secret configuration requirements, and evaluate restricting the dispatch path from public exposure until a fix is deployed.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, signature-bypass, webhook, rce, tailscale
- **Credibility**: unverified
- **Published**: 2026-04-30 04:54:10
- **ID**: 78465
- **URL**: https://whisperx.ai/en/intel/78465