Description
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Published: 2026-01-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SMTP Header Injection
Action: Immediate Patch
AI Analysis

Impact

Mailpit’s SMTP server accepted email addresses that contain carriage return characters because the validation regular expression omitted \r and \n when filtering control characters. This flaw lets an attacker embed CRLF sequences in the RCPT TO or MAIL FROM addresses, which causes the SMTP engine to interpret the injected characters as header delimiters. The result is that an attacker can add arbitrary SMTP headers or corrupt existing ones, potentially forging authentication headers, redirecting email flows, or enabling spam and phishing campaigns. An attacker can exploit this by connecting to the SMTP interface, authenticating if required, and sending a crafted RCPT TO or MAIL FROM command containing CRLF characters.

Affected Systems

The vulnerability affects the axllent Mailpit email testing tool. All releases prior to version 1.28.3 are impacted, as the buggy regular expression is present in those builds. Version 1.28.3 and later incorporate a corrected regex that properly excludes forbidden control characters.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. Mailpit exposes an SMTP interface to network clients, so the attack vector is remote via the SMTP protocol, inferred from the fact that the product is an SMTP server; this is not directly stated but can be deduced from the product description. The vulnerability is not currently listed in CISA’s KEV catalog, implying no known active exploitation at this time. Systems that remain unpatched could be used to subvert email delivery by injecting malicious headers.

Generated by OpenCVE AI on April 18, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mailpit to version 1.28.3 or later.
  • Apply a corrected regular expression that rejects carriage return and line feed characters in RCPT TO and MAIL FROM addresses (CWE‑93).
  • Enforce strict access control on SMTP commands to prevent unauthorized header injection (CWE‑150).
  • Restrict the SMTP interface to trusted IP addresses or internal networks until the upgrade is completed.

Generated by OpenCVE AI on April 18, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-54wq-72mp-cq7c Mailpit has an SMTP Header Injection via Regex Bypass
History

Mon, 23 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axllent:mailpit:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Axllent
Axllent mailpit
Vendors & Products Axllent
Axllent mailpit

Sun, 18 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
Description Mailpit is an email testing tool and API for developers. Prior to version 1.28. Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
Title Mailpit has SMTP Header Injection via Regex Bypass
Weaknesses CWE-150
CWE-93
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Axllent Mailpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:08:41.935Z

Reserved: 2026-01-16T15:46:40.841Z

Link: CVE-2026-23829

cve-icon Vulnrichment

Updated: 2026-01-20T20:08:37.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T00:15:48.707

Modified: 2026-02-23T17:29:31.440

Link: CVE-2026-23829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses