Skip to main content

Mailgates CVE-2026-6351

| EUVDEUVD-2026-23167 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-04-16 twcert GHSA-mgwx-w2xc-pjq7
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

11
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
6.1.10.054,5.2.10.099
Analysis Updated
Apr 16, 2026 - 03:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 03:34 vuln.today
cvss_changed
CVSS changed
Apr 16, 2026 - 03:34 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Apr 16, 2026 - 02:52 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 02:45 euvd
EUVD-2026-23167
Analysis Generated
Apr 16, 2026 - 02:45 vuln.today
CVE Published
Apr 16, 2026 - 02:39 nvd
HIGH 8.7

DescriptionCVE.org

MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.

AnalysisAI

CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.

Technical ContextAI

CRLF (Carriage Return Line Feed) injection (CWE-93) occurs when applications fail to sanitize user-controlled input before inserting it into HTTP headers or other protocol streams. Attackers inject newline characters (\r\n) to manipulate HTTP responses, enabling header injection, HTTP response splitting, or-as demonstrated here-unauthorized file access. MailGates and MailAudit are enterprise email security and archiving solutions from Taiwan-based Openfind Information Technology. The vulnerability likely resides in web-facing administrative interfaces or email processing components where user input is improperly incorporated into HTTP response headers. By injecting CRLF sequences, attackers can break out of header context and craft responses that disclose file contents through techniques like path traversal combined with response manipulation. The affected CPE strings indicate all versions of both products are vulnerable until specific patch versions are applied.

RemediationAI

Upgrade immediately to patched versions: MailGates/MailAudit 5.2.10.099 or later for 5.x branches, and 6.1.10.054 or later for 6.x branches, per EUVD version data. Consult Taiwan CERT advisories at https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html for vendor-specific upgrade procedures. If immediate patching is impossible, implement strict network segmentation to restrict access to MailGates/MailAudit web interfaces to trusted management networks only (not internet-facing), and deploy web application firewall (WAF) rules to block HTTP requests containing CRLF sequences (percent-encoded %0D%0A, literal \r\n, and variations) in all input parameters-noting that overly aggressive filtering may break legitimate email header processing, requiring testing in staging environments. Monitor system logs for unusual file access patterns and HTTP response anomalies as temporary detection measures.

Share

CVE-2026-6351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy