Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
11DescriptionCVE.org
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.
AnalysisAI
CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.
Technical ContextAI
CRLF (Carriage Return Line Feed) injection (CWE-93) occurs when applications fail to sanitize user-controlled input before inserting it into HTTP headers or other protocol streams. Attackers inject newline characters (\r\n) to manipulate HTTP responses, enabling header injection, HTTP response splitting, or-as demonstrated here-unauthorized file access. MailGates and MailAudit are enterprise email security and archiving solutions from Taiwan-based Openfind Information Technology. The vulnerability likely resides in web-facing administrative interfaces or email processing components where user input is improperly incorporated into HTTP response headers. By injecting CRLF sequences, attackers can break out of header context and craft responses that disclose file contents through techniques like path traversal combined with response manipulation. The affected CPE strings indicate all versions of both products are vulnerable until specific patch versions are applied.
RemediationAI
Upgrade immediately to patched versions: MailGates/MailAudit 5.2.10.099 or later for 5.x branches, and 6.1.10.054 or later for 6.x branches, per EUVD version data. Consult Taiwan CERT advisories at https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html for vendor-specific upgrade procedures. If immediate patching is impossible, implement strict network segmentation to restrict access to MailGates/MailAudit web interfaces to trusted management networks only (not internet-facing), and deploy web application firewall (WAF) rules to block HTTP requests containing CRLF sequences (percent-encoded %0D%0A, literal \r\n, and variations) in all input parameters-noting that overly aggressive filtering may break legitimate email header processing, requiring testing in staging environments. Monitor system logs for unusual file access patterns and HTTP response anomalies as temporary detection measures.
The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote att
Openfind MailGates contains a Command Injection flaw, when receiving email with specific strings, malicious code in the
Remote unauthenticated code execution in Openfind MailGates (5.0-6.0) and MailAudit (5.0-6.0) via stack-based buffer ove
MailGates and MailAudit products contain Command Injection flaw, which can be used to inject and execute system commands
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23167
GHSA-mgwx-w2xc-pjq7