CVE-2026-23829

MEDIUM NUCLEI

Mailpit < 1.28.3 - SMTP Header Injection via RCPT TO and MAIL FROM Address Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-23829. PoCs published by XiaomingX, SimoesCTT. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-23829, a CRLF injection vulnerability in Mailpit's SMTP server. The exploit demonstrates the vulnerability and includes a novel phase-based reconstruction technique to recover the original SMTP command from corrupted logs.

Description

Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-23829

This repository contains a functional exploit for CVE-2026-23829, a CRLF injection vulnerability in Mailpit's SMTP server. The exploit demonstrates the vulnerability and includes a novel phase-based reconstruction technique to recover the original SMTP command from corrupted logs.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Complex
Reliability
Reliable
Target: Mailpit SMTP server
No auth needed
Prerequisites: Mailpit SMTP server running on target host
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by SimoesCTT · poc
https://github.com/SimoesCTT/-CVE-2026-23829-CTT-Mailpit-phase-reconstruction-

This repository contains a functional exploit for CVE-2026-23829, a CRLF injection vulnerability in Mailpit's SMTP server, combined with a novel phase-based reconstruction technique using Convergent Time Theory (CTT). The exploit demonstrates both the vulnerability and a method to recover corrupted data.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Mailpit SMTP server
No auth needed
Prerequisites: Access to Mailpit SMTP server · Python environment with numpy and scipy
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by SimoesCTT · poc
https://github.com/SimoesCTT/CTT-Mailpit-RCE-v1.0---Temporal-Resonance-Mail-Server-Takeover

This PoC exploits CVE-2026-23829 in Mailpit SMTP Server by leveraging header injection to achieve RCE, with additional features like temporal resonance and worm propagation. The exploit uses SMTP protocol manipulation and embedded payloads to execute commands and establish persistence.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Mailpit SMTP Server
No auth needed
Prerequisites: Network access to target SMTP server · Target running vulnerable Mailpit version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Mailpit < 1.28.2 - SMTP CRLF Injection
MEDIUMVERIFIEDby omarkurt
Shodan: title:"Mailpit"
FOFA: title="Mailpit"

References (3)

Core 3

Scores

CVSS v3 5.3
EPSS 0.0159
EPSS Percentile 82.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-150 CWE-93
Status published
Products (2)
axllent/mailpit < 1.28.3
axllent/mailpit 0 - 1.28.3Go
Published Jan 19, 2026
Tracked Since Feb 18, 2026