Skip to main content

SEPPmail Secure Email Gateway CVE-2026-44127

| EUVDEUVD-2026-28587 HIGH
External Control of File Name or Path (CWE-73)
2026-05-08 NCSC.ch GHSA-gh4w-5vrf-hhcg
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 08, 2026 - 14:33 EUVD
Analysis Generated
May 08, 2026 - 14:30 vuln.today
CVSS changed
May 08, 2026 - 14:22 NVD
8.8 (HIGH)
CVE Published
May 08, 2026 - 13:13 nvd
HIGH 8.8

DescriptionCVE.org

SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process.

AnalysisAI

Remote unauthenticated attackers can read arbitrary local files and trigger deletion of targeted files in SEPPmail Secure Email Gateway versions before 15.0.4 through path traversal in the /api.app/attachment/preview endpoint. The vulnerability allows exploitation without authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), enabling attackers to exfiltrate sensitive configuration files, credentials, or email data, and selectively delete files with api.app process privileges. No active exploitation confirmed by CISA KEV at time of analysis, though the unauthenticated remote attack vector and file manipulation capabilities represent elevated risk for exposed email gateway appliances. Swiss NCSC disclosure suggests vendor-coordinated remediation.

Technical ContextAI

SEPPmail Secure Email Gateway is an email security appliance providing encryption, DLP, and threat protection. The vulnerability stems from CWE-73 (External Control of File Name or Path) in the identifier parameter of the /api.app/attachment/preview API endpoint. Path traversal flaws occur when user-supplied input containing directory traversal sequences (../ or absolute paths) is insufficiently validated before being used in file system operations. The affected CPE (cpe:2.3:a:seppmail_ag:secure_email_gateway) indicates the core appliance software is vulnerable. The api.app process context determines file access boundaries - typically this service runs with elevated privileges to access email attachment stores and system configuration directories. The dual impact (read arbitrary files AND trigger deletion) suggests the endpoint performs both file retrieval and cleanup operations on the same user-controlled path parameter without proper canonicalization or sandboxing.

RemediationAI

Upgrade to SEPPmail Secure Email Gateway version 15.0.4 or later per vendor advisory at https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security. For environments unable to immediately patch, implement compensating controls: (1) Restrict network access to /api.app/* endpoints to authenticated administrative IPs only via firewall rules or reverse proxy ACLs - note this breaks legitimate attachment preview for unauthorized networks; (2) Deploy web application firewall rules to block requests containing path traversal sequences (../, ..\ , %2e%2e%2f, absolute paths) in the identifier parameter - may cause false positives with legitimate attachment filenames containing periods; (3) Monitor api.app process file access via auditd or equivalent for unexpected reads outside /var/seppmail/attachments or similar designated paths - generates high log volume requiring SIEM tuning. Temporary API endpoint disablement is not documented by vendor and may break core email processing workflows. Patch deployment remains the only complete remediation without operational trade-offs.

CVE-2024-9043 CRITICAL
9.8 Sep 20

Secure Email Gateway from Cellopoint has Buffer Overflow Vulnerability in authentication process. Rated critical severit

CVE-2024-20401 CRITICAL
9.8 Jul 17

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unau

CVE-2024-6744 CRITICAL
9.8 Jul 15

The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Ove

CVE-2026-44128 CRITICAL
9.3 May 08

Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to e

CVE-2026-44125 CRITICAL
9.3 May 08

Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers

CVE-2026-29144 HIGH
7.8 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to bypass subject sanitization and forge security t

CVE-2026-29143 HIGH
7.8 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 fails to properly authenticate inner messages within S/MIME-encrypte

CVE-2026-29139 HIGH
7.8 Apr 02

Account takeover in SEPPmail Secure Email Gateway versions before 15.0.3 allows unauthenticated attackers to reset victi

CVE-2026-29141 HIGH
7.7 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to bypass subject line sanitization controls

CVE-2026-29140 HIGH
7.7 Apr 02

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME

CVE-2026-8811 HIGH
7.1 Jun 18

Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write fi

CVE-2026-7864 MEDIUM
6.9 May 08

SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endp

Share

CVE-2026-44127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy