CVE-2026-29133
Published: 02 April 2026
Summary
CVE-2026-29133 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of PGP key UIDs to match associated email addresses during upload, addressing the core improper input validation (CWE-20) vulnerability.
Ensures timely identification, reporting, testing, and installation of software patches like SEPPmail 15.0.3 that remediate the PGP key UID mismatch flaw.
Requires identification and authentication for non-organizational users to access PGP key upload functionality, blocking unauthenticated network-based exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing email gateway directly enables exploitation via T1190; improper UID validation bypasses key authenticity controls, mapping to T1553 for impersonation and encryption/signing subversion.
NVD Description
SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address.
Deeper analysisAI
CVE-2026-29133 is a vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3 that allows an attacker to upload PGP keys with User IDs (UIDs) that do not match their associated email address. This issue stems from improper input validation (CWE-20) and has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no availability disruption.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By uploading a malicious PGP key with a mismatched UID, the attacker can potentially impersonate legitimate users or bypass email encryption and signing verification mechanisms in the gateway, leading to unauthorized access to sensitive email content or injection of tampered messages.
The SEPPmail release notes for version 15.0.3, available at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503, disclose this vulnerability and confirm that upgrading to version 15.0.3 mitigates the issue by enforcing proper UID validation during PGP key uploads.
Details
- CWE(s)