Description
SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SEPPmail Secure Email Gateway versions prior to 15.0.4 contain a configuration flaw that exposes server environment variables through an unauthenticated endpoint included in the new GINA UI. This weakness, which falls under CWE‑497, allows an external actor to learn configuration details, operating system data, or other system metadata that should remain confidential. The exposure does not grant elevated privileges; it simply reveals data that could aid further attacks or provide insight into the system.

Affected Systems

The vulnerability affects SEPPmail AG’s Secure Email Gateway, specifically all releases before 15.0.4. Customers using any of these versions are susceptible to the unauthenticated disclosure of environment variables via the GINA UI endpoint.

Risk and Exploitability

With a CVSS score of 6.9, the severity is moderate. No EPSS data is available and the issue is not listed in CISA’s KEV catalog, indicating no confirmed external exploitation yet. The likely attack vector is remote and unauthenticated: an attacker can send a simple HTTP request to the exposed endpoint from any network location. Once accessed, the response contains environment variables that could be leveraged for reconnaissance or to facilitate additional attacks on the system.

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the recent update to Secure Email Gateway version 15.0.4 or later to eliminate the environment variable exposure
  • If an upgrade is not immediately feasible, isolate the GINA UI endpoint by restricting network access with firewall or ACL rules to trusted hosts only
  • Configure the gateway to disable the unpublished endpoint or remove environment variable output from the GINA UI configuration

Generated by OpenCVE AI on May 8, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information.
Title Exposure of Sensitive Information to an Unauthorized Actor
Weaknesses CWE-497
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-05-08T21:28:00.437Z

Reserved: 2026-05-05T12:56:45.255Z

Link: CVE-2026-7864

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-08T14:16:47.880

Modified: 2026-05-08T15:51:08.590

Link: CVE-2026-7864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:45:08Z

Weaknesses