CVE-2026-23829 is a CRLF injection vulnerability affecting the SMTP server component of axllent's Mailpit, an email testing tool and API widely used by developers. The root cause is an insufficient regular expression used to validate the 'RCPT TO' and 'MAIL FROM' email address fields. Specifically, the regex fails to exclude carriage return (\r) and line feed (\n) characters when used inside a character class, allowing these control characters to be injected into email addresses. An attacker can exploit this flaw by crafting SMTP commands with maliciously constructed email addresses containing \r characters, which the server then interprets as header delimiters. This enables injection of arbitrary SMTP headers or corruption of existing headers, potentially altering the behavior of the SMTP session or the content of emails processed by Mailpit. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The impact is limited to integrity issues in email headers, with no direct confidentiality or availability impact. The vulnerability is tracked under CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-150 (Improper Neutralization of Input During Web Page Generation). The issue was addressed in Mailpit version 1.28.3 by correcting the regular expression to properly exclude CR and LF characters from email address validation. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting medium severity due to ease of exploitation and integrity impact without confidentiality or availability loss.

For European organizations, the primary impact of CVE-2026-23829 lies in the potential manipulation of email headers within development and testing environments using vulnerable Mailpit versions. While Mailpit is primarily a testing tool and not typically used in production email infrastructure, compromised header integrity can lead to misleading test results, corrupted email flows, or spoofed headers that may mask malicious activity during development cycles. This can hinder secure software development lifecycle (SDLC) processes and potentially introduce risks if testing environments are connected to production or if test data leaks. Since the vulnerability does not affect confidentiality or availability, direct data breaches or service outages are unlikely. However, organizations relying on Mailpit for email validation or integration testing may face integrity risks that could cascade into broader security issues if not addressed. The lack of authentication and remote exploitability increases the risk surface, especially in environments where Mailpit is exposed to untrusted networks. European organizations with active development teams using Mailpit should prioritize patching to maintain secure testing practices and prevent potential abuse of email header injection.

1. Upgrade Mailpit to version 1.28.3 or later immediately to apply the official fix that corrects the regular expression validation of email addresses. 2. Restrict network access to Mailpit SMTP servers to trusted development and testing environments only, using network segmentation and firewall rules to prevent exposure to untrusted external networks. 3. Implement monitoring and logging of SMTP commands and email headers processed by Mailpit to detect anomalous or suspicious injection attempts. 4. Educate development and QA teams about the risks of using outdated testing tools and enforce policies to keep testing software up to date. 5. If upgrading is temporarily not possible, consider applying input filtering or proxying SMTP traffic through a validation layer that strips or rejects CR and LF characters in email addresses. 6. Review integration points where Mailpit interacts with other systems to ensure that injected headers cannot propagate into production environments. 7. Conduct regular security assessments of development and testing tools to identify and remediate similar vulnerabilities proactively.