Description
Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Missing Authentication for a critical function that allows an attacker to POST to the /api/auth/register/ endpoint on MailerUp instances that are running a version prior to 1.0.1. Because the RegisterView applies the AllowAny permission with no email verification, CAPTCHA or staff approval, an attacker can create a fully functional account without credentials. Once registered, the account can read all email messages kept by the instance, resulting in complete disclosure of stored messages to an unauthenticated actor.

Affected Systems

Mailers up deployments of the MailerUp MailerUp service installed with a version lower than 1.0.1. The vulnerability is present in all instances where the public registration endpoint is enabled and no additional authentication controls are in place.

Risk and Exploitability

The CVSS score of 8.8 marks it as a high‑severity problem. No EPSS data is available, but the issue is widely exploitable over the network with no authentication. It is not currently listed in the CISA KEV catalog. An attacker can trigger the flaw simply by issuing a POST to the registration endpoint, creating a new account, and then accessing the mail store.

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Remediation

Vendor Solution

Upgrade to version greater or equal than 1.0.1

OpenCVE Recommended Actions

  • Upgrade the MailerUp service to version 1.0.1 or later to disable unauthenticated registration.
  • If an upgrade cannot be performed immediately, configure the application to block or restrict POST /api/auth/register/ so that only administrators can create accounts.
  • Ensure that any self‑registration option includes email verification, CAPTCHA, and administrative approval to satisfy the authentication requirement for critical operations.

Generated by OpenCVE AI on June 24, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker
Title Unauthenticated self-registration in MailerUp allows access to stored email data
First Time appeared Mailerup
Mailerup mailerup
Weaknesses CWE-306
CPEs cpe:2.3:a:mailerup:mailerup:*:*:*:*:*:*:*:*
Vendors & Products Mailerup
Mailerup mailerup
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mailerup Mailerup
cve-icon MITRE

Status: PUBLISHED

Assigner: Secur0

Published:

Updated: 2026-06-24T16:43:56.757Z

Reserved: 2026-06-24T12:50:14.906Z

Link: CVE-2026-13164

cve-icon Vulnrichment

Updated: 2026-06-24T16:43:43.433Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function