CVE-2026-23829 Overview
Mailpit, an email testing tool and API for developers, contains an SMTP Header Injection vulnerability in versions prior to 1.28.3. The vulnerability exists due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses in Mailpit's SMTP server. An attacker can inject arbitrary SMTP headers or corrupt existing ones by including carriage return characters (\r) in the email address.
This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class. This flaw allows network-based attackers to manipulate SMTP headers without authentication, potentially enabling email spoofing, spam relay abuse, or bypassing email security controls.
Critical Impact
Attackers can inject arbitrary SMTP headers by exploiting insufficient regex validation in email address parsing, potentially enabling email spoofing and header manipulation attacks.
Affected Products
- Mailpit versions prior to 1.28.3
- Mailpit SMTP server component
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23829 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23829
Vulnerability Analysis
The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences - 'CRLF Injection'). The root cause lies in Mailpit's SMTP server implementation within the internal/smtpd/smtpd.go file, where email address validation relies on a flawed regular expression pattern.
The regex pattern used to validate RCPT TO and MAIL FROM addresses was designed to filter control characters but fails to properly handle carriage return (\r) and newline (\n) characters when they appear inside a character class. This oversight allows attackers to bypass the validation and inject CRLF sequences directly into email addresses.
By exploiting this vulnerability, an attacker can craft malicious email addresses containing carriage return characters that, when processed by the SMTP server, result in additional headers being injected into the email message. This can lead to email spoofing, manipulation of email routing, or exploitation of downstream email processing systems.
Root Cause
The vulnerability stems from improper input validation in the SMTP address parsing logic. The regular expression character class used to filter dangerous characters did not properly escape or exclude CRLF sequences (\r\n), allowing these control characters to pass through validation. This is a common pitfall when regex patterns are not thoroughly tested against all possible control character inputs.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can connect to an exposed Mailpit SMTP server and send specially crafted MAIL FROM or RCPT TO commands containing carriage return characters embedded in the email address field.
When the server processes these commands, the injected CRLF sequences cause the parser to interpret subsequent data as new SMTP headers rather than part of the email address. This allows the attacker to inject arbitrary headers such as BCC, CC, Subject, or custom headers that may be trusted by downstream systems.
The security patch addresses this vulnerability by implementing RFC 5322 compliant address validation:
"io/fs"
"log"
"net"
+ "net/mail"
"os"
"regexp"
"strconv"
Source: GitHub Commit Update
The fix imports Go's net/mail package to ensure that SMTP TO and FROM addresses are validated against RFC 5322 standards, properly rejecting addresses containing control characters.
Detection Methods for CVE-2026-23829
Indicators of Compromise
- SMTP server logs showing email addresses containing carriage return (\r) or newline (\n) characters
- Unusual SMTP MAIL FROM or RCPT TO commands with embedded control characters
- Emails with unexpected or duplicate headers that weren't set by the original sender
- Network traffic containing malformed SMTP commands with encoded CRLF sequences (%0d%0a or \r\n)
Detection Strategies
- Monitor SMTP server logs for addresses containing non-printable or control characters
- Implement network intrusion detection rules to flag SMTP commands with CRLF sequences in address fields
- Review outbound email headers for signs of injection such as duplicate From, To, or unexpected custom headers
- Deploy application-level monitoring to detect regex bypass attempts in email address validation
Monitoring Recommendations
- Enable verbose logging on Mailpit SMTP server to capture full command details
- Set up alerts for SMTP commands containing hex-encoded control characters (%0d, %0a)
- Monitor for unusual email routing patterns that may indicate successful header injection
- Review email gateway logs for messages with malformed or suspicious header structures
How to Mitigate CVE-2026-23829
Immediate Actions Required
- Upgrade Mailpit to version 1.28.3 or later immediately
- Restrict network access to Mailpit SMTP server to trusted development networks only
- Review recent SMTP logs for signs of exploitation attempts
- Ensure Mailpit is not exposed to untrusted networks or the public internet
Patch Information
The vulnerability has been fixed in Mailpit version 1.28.3. The patch implements RFC 5322 compliant address validation using Go's net/mail package, ensuring that SMTP TO and FROM addresses properly reject control characters including carriage returns and newlines.
Patch resources:
Workarounds
- Isolate Mailpit instances to internal development networks only, blocking external SMTP access
- Implement network-level filtering to reject SMTP commands containing encoded CRLF sequences
- Deploy a reverse proxy or SMTP gateway with strict input validation in front of Mailpit
- Use firewall rules to whitelist only known development machine IPs that require SMTP access
# Configuration example - Restrict Mailpit SMTP to localhost only
mailpit --smtp-bind-addr 127.0.0.1:1025
# Alternative: Use firewall to restrict access
iptables -A INPUT -p tcp --dport 1025 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1025 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
