CVE-2026-29132
Published: 02 April 2026
Summary
CVE-2026-29132 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws like CVE-2026-29132 through patching to eliminate the authentication bypass vulnerability.
Mandates re-authentication for sensitive functions such as accessing protected emails, directly countering the second-password bypass.
Ensures the system enforces approved authorizations, preventing unauthorized access to protected emails despite GINA account credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication flaw in public-facing SEPPmail gateway enables remote bypass of second-password check to read protected emails, directly supporting exploitation of the application and remote email collection.
NVD Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails.
Deeper analysisAI
CVE-2026-29132 is a vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3 that enables an attacker with access to a victim's GINA account to bypass the second-password check and access protected emails. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
An attacker who gains access to a victim's GINA (Graphical Identification and Network Authentication) account can exploit this flaw remotely over the network without authentication. Successful exploitation allows the attacker to circumvent the additional password protection mechanism, enabling unauthorized reading of sensitive, protected email content within the SEPPmail environment.
The SEPPmail release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503 detail the vulnerability disclosure and confirm that upgrading to version 15.0.3 resolves the issue by implementing the necessary authentication enforcement. Security practitioners should prioritize patching affected installations to mitigate this risk.
Details
- CWE(s)