CVE-2026-44125 PUBLISHED

Missing Authorization in GINAv2

Assigner: NCSC.ch
Reserved: 05.05.2026 Published: 08.05.2026 Updated: 08.05.2026

SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor SEPPmail AG
Product Secure Email Gateway
Versions Default: unaffected
  • affected from 0 to 15.0.4 (excl.)

References

Problem Types

  • CWE-862: Missing Authorization CWE

Impacts

  • CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels