Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Per‑domain access bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the SEPPmail Secure Email Gateway’s GINA webdomain metadata handling. An external user can modify this metadata, thereby circumventing restrictions that were meant to apply to specific email domains. This flaw could allow an attacker to gain unintended access to resources or data that are normally confined to a particular domain, compromising confidentiality and integrity. It is categorized as CWE‑807, reflecting a flaw that allows forced reconfiguration of system settings.

Affected Systems

SEPPmail Secure Email Gateway versions earlier than 15.0.3 are affected. Users running any pre‑15.0.3 build of the product are vulnerable; versions 15.0.3 and later include the fix.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. Because the exploit requires an external user to alter GINA webdomain metadata, the attacker must reach the web interface, so the vector is likely remote. No EPSS score is available, and the CVE is not listed in the CISA KEV catalog, suggesting that known exploitation is limited or not widespread. Nevertheless, the flaw permits unauthorized domain authority escalation, a concern that warrants prompt remediation.

Generated by OpenCVE AI on April 2, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security update that includes SEPPmail Secure Email Gateway 15.0.3 or later.
  • Verify that the GINA feature is enabled only for trusted users and that webdomain metadata is protected by strong authentication.
  • Restrict network access to the SEPPmail web interface to trusted IP ranges or VPN only.
  • Monitor authentication and GINA-related logs for anomalous changes to webdomain metadata.
  • If an immediate patch cannot be applied, consider disabling or isolating the GINA component until the update is available.

Generated by OpenCVE AI on April 2, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.
Title GINA Domain Switch
First Time appeared Seppmail
Seppmail seppmail Secure Email Gateway
Weaknesses CWE-807
CPEs cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*
Vendors & Products Seppmail
Seppmail seppmail Secure Email Gateway
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Seppmail Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-02T14:42:41.757Z

Reserved: 2026-03-04T09:08:03.277Z

Link: CVE-2026-29134

cve-icon Vulnrichment

Updated: 2026-04-02T14:42:32.749Z

cve-icon NVD

Status : Received

Published: 2026-04-02T09:16:21.653

Modified: 2026-04-02T09:16:21.653

Link: CVE-2026-29134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:08Z

Weaknesses