CVE-2026-34752

HighPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 17.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34752 is a high-severity Uncaught Exception (CWE-248) vulnerability in Haraka Project Haraka. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring identification, reporting, and timely patching of Haraka to version 3.1.4 or later to eliminate the crash from '__proto__:' headers.

SI-10 Information Input Validation good match

prevent

Validates incoming email headers to reject or sanitize invalid names like '__proto__:', preventing the prototype pollution crash in the Haraka worker process.

SC-5 Denial-of-service Protection partial match

prevent

Limits the effects of denial-of-service attacks exploiting this crash by implementing rate limiting or other controls on email processing resources.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables an unauthenticated network attacker to crash the Haraka mail server worker process via a crafted email header, directly facilitating Endpoint Denial of Service through application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.

Deeper analysisAI

CVE-2026-34752 is a vulnerability in Haraka, a Node.js mail server, affecting versions prior to 3.1.4. The issue occurs when an email is sent with "__proto__:" as a header name, causing the Haraka worker process to crash. It is associated with CWE-248 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service due to availability disruption.

An unauthenticated attacker with network access to the Haraka server can exploit this vulnerability by simply sending a specially crafted email containing the malicious header. No privileges, user interaction, or complex setup is required, making it straightforward to trigger. Exploitation crashes the worker process, leading to a denial of service that interrupts email handling until the process is manually or automatically restarted.

The vulnerability has been patched in Haraka version 3.1.4. Administrators are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the Haraka release notes at https://github.com/haraka/Haraka/releases/tag/v3.1.4 and the security advisory at https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3.