CVE-2026-23829: Mailpit has an SMTP Header Injection via Regex Bypass

January 20, 2026 (updated February 2, 2026)

Mailpit’s SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (\r) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class.

References

github.com/advisories/GHSA-54wq-72mp-cq7c
github.com/axllent/mailpit
github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534
github.com/axllent/mailpit/releases/tag/v1.28.3
github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c
nvd.nist.gov/vuln/detail/CVE-2026-23829

Code Behaviors & Features

Detect and mitigate CVE-2026-23829 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →