CVE-2026-26312 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the Stalwart Mail Server, a mail and collaboration platform. The flaw exists in versions 0.13.0 through 0.15.4 and is triggered when the server processes specially crafted emails containing malformed nested message/rfc822 MIME parts via IMAP or JMAP protocols. The malformed MIME structure causes the underlying mail-parser crate to generate cyclical references within its parsed data representation. Stalwart's processing logic follows these cyclical references indefinitely, leading to unbounded CPU and memory consumption. This resource exhaustion can cause the server to run out of memory and crash, resulting in a denial-of-service condition. The vulnerability does not affect confidentiality or integrity but severely impacts availability. Exploitation requires only low-level privileges (PR:L) and no user interaction (UI:N), making it relatively easy to exploit by authenticated users. The issue was addressed in Stalwart version 0.15.5, which includes a patch to detect and handle malformed MIME structures safely, preventing infinite resource consumption. No public exploits have been reported yet, but the vulnerability poses a significant risk to mail server availability if left unpatched.

The primary impact of CVE-2026-26312 is denial of service due to resource exhaustion on affected Stalwart Mail Servers. Organizations relying on Stalwart for mail and collaboration services may experience server crashes and service outages when targeted with maliciously crafted emails exploiting this vulnerability. This can disrupt internal and external communications, potentially affecting business operations, customer support, and collaboration workflows. The vulnerability does not expose sensitive data or allow unauthorized access but can degrade service availability, leading to productivity losses and reputational damage. Since the attack vector requires authenticated access, insider threats or compromised accounts could be leveraged to trigger the exploit. Additionally, mail servers exposed to the internet may be targeted by external attackers who have obtained valid credentials. The medium CVSS score reflects moderate severity, but the ease of exploitation and potential for service disruption make timely remediation critical.

To mitigate CVE-2026-26312, organizations should upgrade Stalwart Mail Server to version 0.15.5 or later, which contains the official patch addressing the malformed MIME parsing issue. Until the upgrade is applied, administrators should implement strict access controls to limit authenticated user access to trusted personnel only, reducing the risk of exploitation by unauthorized users. Monitoring mail server logs for unusual IMAP or JMAP requests containing nested message/rfc822 MIME parts can help detect attempted exploitation. Rate limiting or throttling IMAP and JMAP requests may reduce the impact of resource exhaustion attacks. Deploying network-level protections such as Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block malformed MIME payloads can provide additional defense layers. Regularly auditing and rotating credentials reduces the risk of compromised accounts being used to exploit this vulnerability. Finally, maintaining robust backup and recovery procedures ensures rapid restoration of services in case of a successful denial-of-service attack.