Cyber Resilience

CVE-2026-29134

Medium

Published: 02 April 2026

Published
02 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 22.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29134 is a medium-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-29134 is a vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3 that allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions. This issue, published on 2026-04-02, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is linked to CWE-807.

The vulnerability can be exploited over the network by any unauthenticated external attacker with low attack complexity and no user interaction required. Successful exploitation enables the attacker to alter GINA webdomain metadata, circumventing per-domain restrictions and achieving high integrity impact while preserving confidentiality and availability.

Mitigation is available in SEPPmail Secure Email Gateway version 15.0.3. Additional details on the vulnerability disclosure and patching are provided in the vendor's release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503.

EU & UK References

Vulnerability details

SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated network exploitation of public-facing SEPPmail Secure Email Gateway to modify metadata and bypass domain restrictions directly matches T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29135Same product: Seppmail Secure Email Gateway
CVE-2026-29143Same product: Seppmail Secure Email Gateway
CVE-2026-29139Same product: Seppmail Secure Email Gateway
CVE-2026-29133Same product: Seppmail Secure Email Gateway
CVE-2026-29131Same product: Seppmail Secure Email Gateway
CVE-2026-29132Same product: Seppmail Secure Email Gateway
CVE-2026-29138Same product: Seppmail Secure Email Gateway
CVE-2026-2743Same vendor: Seppmail
CVE-2026-2747Same vendor: Seppmail
CVE-2024-13974Shared CWE-807

Affected Assets

seppmail
secure email gateway
≤ 15.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations preventing unauthorized external users from modifying GINA webdomain metadata and bypassing per-domain restrictions.

prevent

Validates inputs to GINA webdomain functions to reject malicious modifications that circumvent per-domain restrictions.

prevent

Requires identification and authentication for non-organizational external users accessing metadata modification capabilities in the Secure Email Gateway.

References