Skip to main content

Mailerup CVE-2026-13164

| EUVDEUVD-2026-38999 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-24 Secur0 GHSA-cwqp-w2pg-8772
8.8
CVSS 4.0 · Vendor: Secur0
Share

Severity by source

Vendor (Secur0) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (Secur0) · only source for this CVE.

CVSS VectorVendor: Secur0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 24, 2026 - 16:51 vuln.today
Analysis Generated
Jun 24, 2026 - 16:51 vuln.today

DescriptionCVE.org

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

AnalysisAI

Unauthenticated account self-registration in MailerUp before 1.0.1 lets any remote attacker POST to /api/auth/register/ and obtain a working account, even on instances where operators intended registration to be closed, because the RegisterView is wired with Django REST Framework's AllowAny permission and enforces no email verification, CAPTCHA, or admin approval. Once registered, the attacker can read every email stored by the instance, yielding full disclosure of all stored messages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Identify all MailerUp instances running versions prior to 1.0.1; begin upgrade planning to version 1.0.1 or later. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy