CVE-2024-49395 is a vulnerability identified in the mutt and neomutt email clients related to the handling of PGP encrypted emails. Specifically, when encrypting messages, these clients do not use the --hidden-recipient mode of PGP, which is designed to conceal the Bcc recipients from the email headers. As a result, the Bcc field can be inferred by analyzing the recipients' information embedded in the encrypted message metadata. This exposure risks leaking sensitive information about who was blind copied on an email, potentially revealing confidential communication patterns or sensitive recipient identities. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level. It requires no privileges or user interaction to exploit and can be triggered remotely by sending an email to a victim using these clients. The flaw impacts confidentiality but does not affect message integrity or availability. No patches or exploits are currently reported, but the issue is publicly disclosed and should be addressed proactively. The root cause lies in the omission of the --hidden-recipient flag during PGP encryption, which is a known feature to protect recipient privacy. This vulnerability highlights the importance of correctly configuring encryption tools to prevent metadata leakage.

For European organizations, the exposure of Bcc recipients through this vulnerability can lead to significant confidentiality breaches, especially in sectors handling sensitive or regulated data such as legal, financial, healthcare, and governmental institutions. The leakage of hidden recipients may reveal internal communication structures, confidential partnerships, or whistleblower identities, undermining trust and compliance with data protection regulations like GDPR. Although the vulnerability does not affect message integrity or availability, the privacy implications can result in reputational damage, legal consequences, and loss of competitive advantage. Organizations relying on mutt or neomutt for secure email communications are at risk, particularly those using PGP encryption for sensitive correspondence. The absence of known exploits reduces immediate risk but does not eliminate the potential for future targeted attacks leveraging this metadata exposure.

To mitigate CVE-2024-49395, organizations should first verify if mutt or neomutt clients are in use and assess their configurations. Users and administrators should configure PGP encryption to explicitly use the --hidden-recipient mode to prevent leakage of Bcc recipients. This may involve updating encryption command-line options or email client settings. Monitoring for patches or updates from mutt and neomutt developers is critical; once available, these should be applied promptly. Additionally, organizations should consider alternative secure email clients or encryption tools that properly handle recipient metadata. Implementing strict email handling policies and training users on secure email practices can reduce inadvertent exposure. Network monitoring for unusual email metadata patterns may help detect attempts to exploit this vulnerability. Finally, reviewing and minimizing the use of Bcc fields in sensitive communications can reduce the attack surface.