Cyber Resilience

CVE-2026-29132

Medium

Published: 02 April 2026

Published
02 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 15.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29132 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2026-29132 is a vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3 that enables an attacker with access to a victim's GINA account to bypass the second-password check and access protected emails. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

An attacker who gains access to a victim's GINA (Graphical Identification and Network Authentication) account can exploit this flaw remotely over the network without authentication. Successful exploitation allows the attacker to circumvent the additional password protection mechanism, enabling unauthorized reading of sensitive, protected email content within the SEPPmail environment.

The SEPPmail release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503 detail the vulnerability disclosure and confirm that upgrading to version 15.0.3 resolves the issue by implementing the necessary authentication enforcement. Security practitioners should prioritize patching affected installations to mitigate this risk.

EU & UK References

Vulnerability details

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker with access to a victim's GINA account to bypass a second-password check and read protected emails.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1114.002 Remote Email Collection Collection
Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.
Why these techniques?

Missing authentication flaw in public-facing SEPPmail gateway enables remote bypass of second-password check to read protected emails, directly supporting exploitation of the application and remote email collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29131Same product: Seppmail Secure Email Gateway
CVE-2026-29134Same product: Seppmail Secure Email Gateway
CVE-2026-29143Same product: Seppmail Secure Email Gateway
CVE-2026-29135Same product: Seppmail Secure Email Gateway
CVE-2026-29133Same product: Seppmail Secure Email Gateway
CVE-2026-29139Same product: Seppmail Secure Email Gateway
CVE-2026-29138Same product: Seppmail Secure Email Gateway
CVE-2026-2234Shared CWE-306
CVE-2026-2747Same vendor: Seppmail
CVE-2026-2743Same vendor: Seppmail

Affected Assets

seppmail
secure email gateway
≤ 15.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like CVE-2026-29132 through patching to eliminate the authentication bypass vulnerability.

prevent

Mandates re-authentication for sensitive functions such as accessing protected emails, directly countering the second-password bypass.

prevent

Ensures the system enforces approved authorizations, preventing unauthorized access to protected emails despite GINA account credentials.

References