DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23829: Mailpit Stop: SMTP Header Injection via Regex Failure

#security #cve #cybersecurity

Mailpit Stop: SMTP Header Injection via Regex Failure

Vulnerability ID: CVE-2026-23829
CVSS Score: 5.3
Published: 2026-01-20

A classic case of 'Regex is not a parser' leads to SMTP Header Injection in the popular Mailpit development tool. By failing to sanitize control characters in email addresses, Mailpit allows attackers to rewrite message headers.

TL;DR

Mailpit, a popular email testing tool, relied on a permissive regular expression to validate sender and recipient addresses in SMTP commands. The regex failed to block control characters like Carriage Return (\r). This allows an unauthenticated attacker to inject arbitrary SMTP headers into the captured emails, potentially confusing downstream parsers or the Mailpit UI. The fix involves replacing the regex trust logic with the standard library's net/mail parser.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-93 (CRLF Injection)
  • CVSS v3.1: 5.3 (Medium)
  • Attack Vector: Network (SMTP)
  • Exploit Status: PoC Available
  • Patch Status: Released (v1.28.3)
  • Protocol: SMTP (Port 1025)

Affected Systems

  • Mailpit < v1.28.3
  • Mailpit: < 1.28.3 (Fixed in: 1.28.3)

Code Analysis

Commit: 36cc06c

Fix regex validation by adding mail.ParseAddress check

+ func extractAndValidateAddress(re *regexp.Regexp, args string) []string {
+   match := re.FindStringSubmatch(args)
+   if match == nil || strings.Contains(match[1], " ") {
+       return nil
+   }
+ 
+   // first argument will be the email address, validate it if not empty
+   if match[1] != "" {
+       _, err := mail.ParseAddress(match[1])
+       if err != nil {
+           return nil
+       }
+   }
+ 
+   return match
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Exploitation involves sending raw SMTP commands via netcat with embedded \r characters.

Mitigation Strategies

  • Upgrade to patched version
  • Network Segmentation
  • Input Validation Hardening

Remediation Steps:

  1. Stop the running Mailpit instance.
  2. Download the latest binary release (v1.28.3 or higher) from GitHub.
  3. Replace the old binary.
  4. Restart the service.
  5. Verify the version by running mailpit version.

References

Read the full report for CVE-2026-23829 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)