VYPR
High severityGHSA Advisory· Published May 29, 2026· Updated May 29, 2026

AgenticMail API/storage and outbound relay hardening fixes

CVE-2026-47255

Description

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct storage metadata access through raw SQL; fail-closed outbound worker secret handling; SMTP envelope/header control-character validation before command construction; and TLS certificate verification as the default for MailSender with an explicit opt-out for local development. Validation completed locally with targeted API/Core security tests plus API/Core builds. The security patch branch was not published publicly because te repository's SECURITY.md asks reporters not to open public vulnerability issues.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@agenticmail/apinpm
< 0.9.320.9.32
@agenticmail/corenpm
< 0.9.100.9.10

Affected products

1

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.