Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23829

CVE-2026-23829: Mailpit SMTP Header Injection Vulnerability

CVE-2026-23829 is a header injection vulnerability in Mailpit's SMTP server allowing attackers to inject arbitrary headers via carriage return characters. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-23829 Overview

Mailpit, an email testing tool and API for developers, contains an SMTP Header Injection vulnerability in versions prior to 1.28.3. The vulnerability exists due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses in Mailpit's SMTP server. An attacker can inject arbitrary SMTP headers or corrupt existing ones by including carriage return characters (\r) in the email address.

This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class. This flaw allows network-based attackers to manipulate SMTP headers without authentication, potentially enabling email spoofing, spam relay abuse, or bypassing email security controls.

Critical Impact

Attackers can inject arbitrary SMTP headers by exploiting insufficient regex validation in email address parsing, potentially enabling email spoofing and header manipulation attacks.

Affected Products

  • Mailpit versions prior to 1.28.3
  • Mailpit SMTP server component

Discovery Timeline

  • 2026-01-19 - CVE CVE-2026-23829 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2026-23829

Vulnerability Analysis

The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences - 'CRLF Injection'). The root cause lies in Mailpit's SMTP server implementation within the internal/smtpd/smtpd.go file, where email address validation relies on a flawed regular expression pattern.

The regex pattern used to validate RCPT TO and MAIL FROM addresses was designed to filter control characters but fails to properly handle carriage return (\r) and newline (\n) characters when they appear inside a character class. This oversight allows attackers to bypass the validation and inject CRLF sequences directly into email addresses.

By exploiting this vulnerability, an attacker can craft malicious email addresses containing carriage return characters that, when processed by the SMTP server, result in additional headers being injected into the email message. This can lead to email spoofing, manipulation of email routing, or exploitation of downstream email processing systems.

Root Cause

The vulnerability stems from improper input validation in the SMTP address parsing logic. The regular expression character class used to filter dangerous characters did not properly escape or exclude CRLF sequences (\r\n), allowing these control characters to pass through validation. This is a common pitfall when regex patterns are not thoroughly tested against all possible control character inputs.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can connect to an exposed Mailpit SMTP server and send specially crafted MAIL FROM or RCPT TO commands containing carriage return characters embedded in the email address field.

When the server processes these commands, the injected CRLF sequences cause the parser to interpret subsequent data as new SMTP headers rather than part of the email address. This allows the attacker to inject arbitrary headers such as BCC, CC, Subject, or custom headers that may be trusted by downstream systems.

The security patch addresses this vulnerability by implementing RFC 5322 compliant address validation:

go
 	"io/fs"
 	"log"
 	"net"
+	"net/mail"
 	"os"
 	"regexp"
 	"strconv"

Source: GitHub Commit Update

The fix imports Go's net/mail package to ensure that SMTP TO and FROM addresses are validated against RFC 5322 standards, properly rejecting addresses containing control characters.

Detection Methods for CVE-2026-23829

Indicators of Compromise

  • SMTP server logs showing email addresses containing carriage return (\r) or newline (\n) characters
  • Unusual SMTP MAIL FROM or RCPT TO commands with embedded control characters
  • Emails with unexpected or duplicate headers that weren't set by the original sender
  • Network traffic containing malformed SMTP commands with encoded CRLF sequences (%0d%0a or \r\n)

Detection Strategies

  • Monitor SMTP server logs for addresses containing non-printable or control characters
  • Implement network intrusion detection rules to flag SMTP commands with CRLF sequences in address fields
  • Review outbound email headers for signs of injection such as duplicate From, To, or unexpected custom headers
  • Deploy application-level monitoring to detect regex bypass attempts in email address validation

Monitoring Recommendations

  • Enable verbose logging on Mailpit SMTP server to capture full command details
  • Set up alerts for SMTP commands containing hex-encoded control characters (%0d, %0a)
  • Monitor for unusual email routing patterns that may indicate successful header injection
  • Review email gateway logs for messages with malformed or suspicious header structures

How to Mitigate CVE-2026-23829

Immediate Actions Required

  • Upgrade Mailpit to version 1.28.3 or later immediately
  • Restrict network access to Mailpit SMTP server to trusted development networks only
  • Review recent SMTP logs for signs of exploitation attempts
  • Ensure Mailpit is not exposed to untrusted networks or the public internet

Patch Information

The vulnerability has been fixed in Mailpit version 1.28.3. The patch implements RFC 5322 compliant address validation using Go's net/mail package, ensuring that SMTP TO and FROM addresses properly reject control characters including carriage returns and newlines.

Patch resources:

Workarounds

  • Isolate Mailpit instances to internal development networks only, blocking external SMTP access
  • Implement network-level filtering to reject SMTP commands containing encoded CRLF sequences
  • Deploy a reverse proxy or SMTP gateway with strict input validation in front of Mailpit
  • Use firewall rules to whitelist only known development machine IPs that require SMTP access
bash
# Configuration example - Restrict Mailpit SMTP to localhost only
mailpit --smtp-bind-addr 127.0.0.1:1025

# Alternative: Use firewall to restrict access
iptables -A INPUT -p tcp --dport 1025 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1025 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne