Description
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a configuration flaw that exposes server environment variables through an unauthenticated endpoint included in the new GINA UI. This weakness, which falls under CWE‑497, allows an external actor to learn configuration details, operating system data, or other system metadata that should remain confidential. The exposure does not grant elevated privileges; it simply reveals data that could aid further attacks or provide insight into the system.

Affected Systems

The vulnerability affects SEPPmail AG’s Secure Email Gateway, specifically all releases before 15.0.4. Customers using any of these versions are susceptible to the unauthenticated disclosure of environment variables via the GINA UI endpoint.

Risk and Exploitability

With a CVSS score of 6.9, the severity is moderate. No EPSS data is available and the issue is not listed in CISA’s KEV catalog, indicating no confirmed external exploitation yet. The likely attack vector is remote and unauthenticated: an attacker can send a simple HTTP request to the exposed endpoint from any network location. Once accessed, the response contains environment variables that could be leveraged for reconnaissance or to facilitate additional attacks on the system.

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the recent update to Secure Email Gateway version 15.0.4 or later to eliminate the environment variable exposure
  • If an upgrade is not immediately feasible, isolate the GINA UI endpoint by restricting network access with firewall or ACL rules to trusted hosts only
  • Configure the gateway to disable the unpublished endpoint or remove environment variable output from the GINA UI configuration

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 16:45:00 +0000

Type Values Removed Values Added
References

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Seppmail
Seppmail secure Email Gateway
Vendors & Products Seppmail
Seppmail secure Email Gateway

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.
Title Exposure of Sensitive Information to an Unauthorized Actor
Weaknesses CWE-497
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Seppmail Secure Email Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-05-18T16:09:19.591Z

Reserved: 2026-05-05T12:56:45.255Z

Link: CVE-2026-7864

cve-icon Vulnrichment

Updated: 2026-05-08T14:26:42.443Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T14:16:47.880

Modified: 2026-05-18T17:16:34.293

Link: CVE-2026-7864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses