CVE-2026-23829 in mailpit
Summary
by MITRE • 01/19/2026
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability identified as CVE-2026-23829 affects Mailpit, an email testing tool and API designed for developer environments. This tool serves as a mock SMTP server that facilitates email testing and development workflows, making it a critical component in software development pipelines where email functionality needs to be verified without sending actual emails to recipients. The vulnerability exists in versions prior to 1.28.3 and specifically targets the SMTP server implementation within Mailpit's architecture.
The technical flaw stems from an insufficient regular expression implementation used to validate email addresses in the RCPT TO and MAIL FROM SMTP command parameters. The regex pattern intended to filter out control characters fails to properly exclude carriage return characters within character classes, creating a vector for header injection attacks. This occurs because the validation logic does not adequately account for all control characters that could be used to manipulate SMTP headers, specifically allowing the insertion of \r (carriage return) and \n (line feed) characters within email addresses. When these characters are processed, they enable attackers to inject arbitrary SMTP headers or corrupt existing ones within the email transmission process.
The operational impact of this vulnerability is significant for any development environment using Mailpit, particularly in scenarios where the tool processes untrusted email addresses or where security boundaries are not properly enforced. Attackers can exploit this weakness to inject malicious headers into email messages, potentially leading to various security consequences including email spoofing, header manipulation, and potential information disclosure. The vulnerability creates an attack surface that could be leveraged to compromise the integrity of email testing processes, potentially affecting automated testing pipelines and development workflows that rely on Mailpit's SMTP server functionality. This issue particularly affects environments where Mailpit is used in CI/CD pipelines or where it processes email addresses from untrusted sources.
The vulnerability aligns with CWE-1035, which addresses improper neutralization of special elements used in email headers, and represents a classic example of input validation bypass through inadequate regular expression implementation. From an ATT&CK perspective, this vulnerability maps to techniques involving command and control through email protocols and could potentially be used as part of broader attack chains involving email-based reconnaissance or delivery mechanisms. Organizations should prioritize upgrading to Mailpit version 1.28.3 or later to remediate this vulnerability, as the fix addresses the core regex validation issue by properly excluding control characters including carriage return and line feed sequences from email address validation. The mitigation strategy should also include monitoring for any anomalous email header patterns in development environments where Mailpit is deployed, particularly when processing addresses from external sources or untrusted inputs.