CVE-2021-40347
Description
An attacker logged into any account can unsubscribe any user from any mailing list, also revealing subscription status, via crafted POST request in Postorius before 1.3.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An attacker logged into any account can unsubscribe any user from any mailing list, also revealing subscription status, via crafted POST request in Postorius before 1.3.5.
Vulnerability
The issue exists in views/list.py of GNU Mailman Postorius before version 1.3.5 [1]. The ListUnsubscribeView does not verify that the authenticated user owns the email address they are requesting to unsubscribe [2]. As a result, any logged-in user can craft a POST request to unsubscribe any email address from any mailing list [4].
Exploitation
An attacker must be logged into any account on the Postorius instance [1]. They can then send a crafted POST request to the unsubscribe/ endpoint, altering the form fields (e.g., changing the URL from subscribe to unsubscribe/, setting the email parameter to the target address) [4]. No special privileges or user interaction beyond authentication are required.
Impact
Successful exploitation allows the attacker to unsubscribe any user from any mailing list, causing denial of service or unauthorized removal [1][4]. Additionally, the response indicates whether the target address was subscribed, leaking membership information [2][4].
Mitigation
The vulnerability is fixed in Postorius version 1.3.5, released on September 5, 2021 [3]. The fix adds validation that the requesting user owns the email address being unsubscribed [2]. Users should upgrade to 1.3.5 or later. No workaround is documented.
- NVD - CVE-2021-40347
- Check a user owns the email they are trying to unsubscribe (CVE-2021-40347) (3d880c56) · Commits · GNU Mailman / Postorius · GitLab
- Tags · GNU Mailman / Postorius · GitLab
- Logged-in user can unsubscribe anyone from any list using specially crafted POST request (CVE-2021-40347) (#531) · Issues · GNU Mailman / Postorius · GitLab
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
postoriusPyPI | < 1.3.5 | 1.3.5 |
Affected products
2- GNU Mailman/Postoriusdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-v83x-78q3-gr2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40347ghsaADVISORY
- www.debian.org/security/2021/dsa-4970ghsavendor-advisoryx_refsource_DEBIANWEB
- bugs.debian.org/cgi-bin/bugreport.cgighsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/postorius/PYSEC-2021-319.yamlghsaWEB
- gitlab.com/mailman/postorius/-/commit/3d880c56b58bc26b32eac0799407d74b64b7474bghsax_refsource_CONFIRMWEB
- gitlab.com/mailman/postorius/-/issues/531ghsax_refsource_MISCWEB
- gitlab.com/mailman/postorius/-/tagsghsax_refsource_MISCWEB
- phabricator.wikimedia.org/T289798ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.