Cyber Posture

CVE-2026-29134

High

Published: 02 April 2026

Published
02 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0006 20.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29134 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations preventing unauthorized external users from modifying GINA webdomain metadata and bypassing per-domain restrictions.

SI-10 Information Input Validation good match
prevent

Validates inputs to GINA webdomain functions to reject malicious modifications that circumvent per-domain restrictions.

IA-8 Identification and Authentication (Non-organizational Users) good match
prevent

Requires identification and authentication for non-organizational external users accessing metadata modification capabilities in the Secure Email Gateway.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated network exploitation of public-facing SEPPmail Secure Email Gateway to modify metadata and bypass domain restrictions directly matches T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SEPPmail Secure Email Gateway before version 15.0.3 allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions.

Deeper analysisAI

CVE-2026-29134 is a vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3 that allows an external user to modify GINA webdomain metadata and bypass per-domain restrictions. This issue, published on 2026-04-02, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is linked to CWE-807.

The vulnerability can be exploited over the network by any unauthenticated external attacker with low attack complexity and no user interaction required. Successful exploitation enables the attacker to alter GINA webdomain metadata, circumventing per-domain restrictions and achieving high integrity impact while preserving confidentiality and availability.

Mitigation is available in SEPPmail Secure Email Gateway version 15.0.3. Additional details on the vulnerability disclosure and patching are provided in the vendor's release notes at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503.

Details

CWE(s)
CWE-807

Affected Products

seppmail
secure email gateway
≤ 15.0.3

CVEs Like This One

CVE-2026-29143Same product: Seppmail Secure Email Gateway
CVE-2026-29135Same product: Seppmail Secure Email Gateway
CVE-2026-29139Same product: Seppmail Secure Email Gateway
CVE-2026-29132Same product: Seppmail Secure Email Gateway
CVE-2026-29131Same product: Seppmail Secure Email Gateway
CVE-2026-29133Same product: Seppmail Secure Email Gateway
CVE-2026-29138Same product: Seppmail Secure Email Gateway
CVE-2026-2743Same vendor: Seppmail
CVE-2026-2747Same vendor: Seppmail
CVE-2025-49827Shared CWE-807

References