CVE-2024-49395: Exposure of Sensitive Information Through Metadata
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.
AI Analysis
Technical Summary
The vulnerability CVE-2024-49395 affects the mutt and neomutt email clients. It arises because PGP encryption is performed without the --hidden-recipient mode, which is intended to conceal Bcc recipients. As a result, the Bcc header field may be inferred from the recipients' information, potentially exposing sensitive metadata about email recipients. The CVSS 3.1 base score is 5.3 (medium), with network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No vendor advisory details on patch availability or affected versions are provided beyond the Red Hat advisory link.
Potential Impact
The impact is limited to confidentiality, specifically the potential exposure of Bcc recipients through metadata inference. There is no impact on integrity or availability. This could lead to unintended disclosure of recipient information in emails encrypted with PGP using mutt or neomutt without the hidden-recipient mode.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2024-49395 for current remediation guidance. Until a fix is available, users should be aware of the potential metadata leakage when using PGP encryption in mutt or neomutt and consider alternative methods or configurations to protect Bcc recipient privacy.
CVE-2024-49395: Exposure of Sensitive Information Through Metadata
Description
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2024-49395 affects the mutt and neomutt email clients. It arises because PGP encryption is performed without the --hidden-recipient mode, which is intended to conceal Bcc recipients. As a result, the Bcc header field may be inferred from the recipients' information, potentially exposing sensitive metadata about email recipients. The CVSS 3.1 base score is 5.3 (medium), with network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact. No vendor advisory details on patch availability or affected versions are provided beyond the Red Hat advisory link.
Potential Impact
The impact is limited to confidentiality, specifically the potential exposure of Bcc recipients through metadata inference. There is no impact on integrity or availability. This could lead to unintended disclosure of recipient information in emails encrypted with PGP using mutt or neomutt without the hidden-recipient mode.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2024-49395 for current remediation guidance. Until a fix is available, users should be aware of the potential metadata leakage when using PGP encryption in mutt or neomutt and consider alternative methods or configurations to protect Bcc recipient privacy.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2024-10-14T17:56:03.767Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2024-49395","vendor":"Red Hat"}]
Threat ID: 69200f8659bb91a9a9ac5c70
Added to database: 11/21/2025, 07:06:46 UTC
Last enriched: 06/26/2026, 12:25:19 UTC
Last updated: 06/30/2026, 08:51:15 UTC
Views: 205
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.