Mailpit has SMTP Header Injection via Regex Bypass_CVE-2026-23829

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Basic Information

ID CVE-2026-23829

Source GitHub_M

Published Jan 18, 2026 at 23:23

Affected Product

Vendor axllent

Product mailpit

Version < 1.28.3

Affected Versions axllent mailpit < 1.28.3

CWE Classification

CWE-93 CWE-150

References

{
    "lastseen": "",
    "description": "Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class. Version 1.28.3 fixes this issue.",
    "published": "2026-01-18T23:23:04.176Z",
    "modified": "2026-01-18T23:23:04.176Z",
    "type": "cve",
    "title": "Mailpit has SMTP Header Injection via Regex Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c\nhttps://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534\nhttps://github.com/axllent/mailpit/releases/tag/v1.28.3",
    "id": "CVE-2026-23829",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93",
        "CWE-150"
    ],
    "cvelist": null,
    "sourceData": "axllent mailpit < 1.28.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mailpit",
    "version": "< 1.28.3",
    "vendor": "axllent",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}