CVE-2026-13164

Source
https://cve.org/CVERecord?id=CVE-2026-13164
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13164.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13164
Published
2026-06-24T15:37:17.398Z
Modified
2026-07-15T01:48:53.271396258Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Unauthenticated self-registration in MailerUp allows access to stored email data
Details

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

Database specific
{
    "cna_assigner": "Secur0",
    "cwe_ids": [
        "CWE-306"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "1.0.1"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "fixed": "1.0.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13164.json"
}
References

Affected packages

Git / github.com/maalfer/mailerup

Affected ranges

Type
GIT
Repo
https://github.com/maalfer/mailerup
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13164.json"