Unauthenticated self-registration in MailerUp allows access to stored email data

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

AI Analysis

Unauthenticated self-registration vulnerability in MailerUp allows remote attackers to create accounts and access stored email data

Basic Information

ID CVE-2026-13164

Source Secur0

Published Jun 24, 2026 at 15:37

Modified Jun 24, 2026 at 16:43

Affected Product

Vendor Mailerup

Product Mailerup

Affected Versions Mailerup Mailerup 0

CWE Classification

CWE-306

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Mailerup

Product MailerUp

References

{
    "lastseen": "",
    "description": "Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker",
    "published": "2026-06-24T15:37:17.398Z",
    "modified": "2026-06-24T16:43:56.757Z",
    "type": "cve",
    "title": "Unauthenticated self-registration in MailerUp allows access to stored email data",
    "source": "Secur0",
    "references": "https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5\nhttps://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data",
    "id": "CVE-2026-13164",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "Mailerup Mailerup 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mailerup",
    "version": "0",
    "vendor": "Mailerup",
    "ai_description": "Unauthenticated self-registration vulnerability in MailerUp allows remote attackers to create accounts and access stored email data",
    "ai_severity": "High",
    "ai_vendor": "Mailerup",
    "ai_product": "MailerUp",
    "ai_version": "0",
    "ai_score": 8.8
}

Unauthenticated self-registration in MailerUp allows access to stored email data_CVE-2026-13164