Description
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users.
Published: 2026-04-02
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure
Action: Patch
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.3 contain a vulnerability that permits attackers to inject a specially crafted email address during PGP decryption of messages. This LDAP injection flaw allows the attacker to read the contents of emails that are encrypted for other users. The weakness is categorized as CWE-90, reflecting an improper handling of LDAP queries that can expose confidential information.

Affected Systems

All instances of SEPPmail Secure Email Gateway with a version earlier than 15.0.3 are affected. Users running the software should verify their current release against the vendor’s advisory for version 15.0.3 and later, which resolves the issue.

Risk and Exploitability

The CVSS base score of 4.9 indicates moderate risk for confidentiality compromise. No EPSS score is reported and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited yet. The likely attack vector involves sending a crafted email to a target system, exploiting the LDAP injection during decryption to access encrypted messages. If the system processes emails from untrusted sources, the window for successful exploitation remains open.

Generated by OpenCVE AI on April 2, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SEPPmail Secure Email Gateway to version 15.0.3 or newer to eliminate the LDAP injection flaw.
  • If an immediate upgrade is not possible, isolate the email gateway from external networks and enforce strict email filtering to reject addresses containing LDAP query constructs.
  • Document the vulnerability and monitor for related security advisories from SEPPmail for future patches.

Generated by OpenCVE AI on April 2, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users.
Title PGP Decryption Recipient LDAP Injection
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-90
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T13:31:31.492Z

Reserved: 2026-03-04T09:08:03.277Z

Link: CVE-2026-29131

cve-icon Vulnrichment

Updated: 2026-04-02T13:17:03.018Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:21.000

Modified: 2026-04-02T09:16:21.000

Link: CVE-2026-29131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:03Z

Weaknesses