CVE-2026-29143

CVE-2026-29143 is a critical vulnerability in SEPPmail Secure Email Gateway versions prior to 15.0.3, published on 2026-04-02. It arises from improper authentication of the inner message within S/MIME-encrypted MIME entities (CWE-20: Improper Input Validation), which allows an attacker to control trusted headers. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality and integrity with no availability disruption.

A remote, unauthenticated attacker can exploit this vulnerability over the network by crafting malicious S/MIME-encrypted emails. With low complexity and no need for user interaction, exploitation enables control over trusted headers in processed emails, potentially allowing spoofing of sender information, manipulation of email metadata, or bypass of gateway security checks that rely on those headers.

The SEPPmail extended release notes for version 15.0 detail the vulnerability disclosure and confirm that it is fixed in version 15.0.3. Security practitioners should prioritize upgrading affected SEPPmail Secure Email Gateway installations to 15.0.3 or later to mitigate this issue.