CVE-2026-29139
Published: 02 April 2026
Summary
CVE-2026-29139 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Seppmail Secure Email Gateway. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and timely patching of security flaws like the GINA account initialization bypass fixed in SEPPmail 15.0.3.
Requires identity verification and secure procedures for initial authenticator distribution and password resets, preventing unauthorized abuse of account initialization features.
Mandates secure account management including password changes, notifications of account modifications, and review of unused accounts to limit and detect unauthorized takeovers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing SEPPmail gateway directly enables remote exploitation (T1190) leading to account takeover and subsequent use of valid accounts (T1078).
NVD Description
SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.
Deeper analysisAI
CVE-2026-29139 is a critical authentication bypass vulnerability affecting SEPPmail Secure Email Gateway versions prior to 15.0.3. The flaw allows attackers to achieve account takeover by abusing the GINA account initialization feature to reset a victim account's password. It has been assigned CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites.
An unauthenticated attacker with network access to the affected SEPPmail instance can exploit this vulnerability remotely without user interaction. By leveraging the GINA account initialization process, the attacker can reset passwords for legitimate user accounts, enabling full account takeover. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing the attacker to impersonate users, access sensitive email data, or perform administrative actions within the gateway.
The official SEPPmail release notes for version 15.0 document this vulnerability disclosure and confirm that upgrading to SEPPmail Secure Email Gateway 15.0.3 or later resolves the issue. Security practitioners should prioritize patching affected systems, as detailed in the advisory at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503.
Details
- CWE(s)