Mailpit has SMTP Header Injection via Regex Bypass
Description
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (\r) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class. Version 1.28.3 fixes this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/axllent/mailpitGo | < 1.28.3 | 1.28.3 |
Affected products
1Patches
136cc06c12595Security: Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection ([GHSA-54wq-72mp-cq7c](https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c))
1 file changed · +23 −2
internal/smtpd/smtpd.go+23 −2 modified@@ -15,6 +15,7 @@ import ( "io/fs" "log" "net" + "net/mail" "os" "regexp" "strconv" @@ -421,7 +422,7 @@ loop: break } - match := mailFromRE.FindStringSubmatch(args) + match := extractAndValidateAddress(mailFromRE, args) if match == nil { s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid FROM parameter)") } else { @@ -477,7 +478,7 @@ loop: break } - match := rcptToRE.FindStringSubmatch(args) + match := extractAndValidateAddress(rcptToRE, args) if match == nil { s.writef("501 5.5.4 Syntax error in parameters or arguments (invalid TO parameter)") } else { @@ -1014,3 +1015,23 @@ func (s *session) handleAuthCramMD5() (bool, error) { return authenticated, err } + +// Extract and validate email address from a regex match. +// This ensures that only RFC 5322 email addresses are accepted (if set). +func extractAndValidateAddress(re *regexp.Regexp, args string) []string { + match := re.FindStringSubmatch(args) + if match == nil || strings.Contains(match[1], " ") { + return nil + } + + // first argument will be the email address, validate it if not empty + if match[1] != "" { + // fmt.Println("Validating email address:", match[1]) + _, err := mail.ParseAddress(match[1]) + if err != nil { + return nil + } + } + + return match +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-54wq-72mp-cq7cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23829ghsaADVISORY
- github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534ghsax_refsource_MISCWEB
- github.com/axllent/mailpit/releases/tag/v1.28.3ghsax_refsource_MISCWEB
- github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.