CVE-2026-44125

CRITICAL

SEPPmail Secure Email Gateway - Missing Authorization in GINAv2

Title source: manual

Description

SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session.

References (2)

Core 2

Core References

https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security

https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128/

Scores

CVSS v4 9.3

EPSS 0.0039

EPSS Percentile 30.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

SEPPmail AG/Secure Email Gateway < 15.0.4

Published May 08, 2026

Tracked Since May 08, 2026