EXECUTIVE SUMMARY:
CVE-2026-45713, with a CVSS score of 7.5, is a pre-auth, remote denial-of-service vulnerability in the Mailpit SMTP server. The vulnerability affects the go/github.com/axllent/mailpit package, allowing an attacker with network access to send an arbitrarily large message, causing the Mailpit process to consume excessive memory and potentially leading to a crash due to out-of-memory conditions. This vulnerability can be exploited by sending a large SMTP DATA payload or a large JSON body in the HTTP /api/v1/send endpoint, resulting in the attacker gaining the capability to trigger a denial-of-service condition. The business impact and consequences of exploitation include increased resource utilization, potential data loss, and system crashes. Prerequisites for exploitation include network reachability to the SMTP service and the ability to send network traffic.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45713, with a CVSS score of 7.5, is a pre-auth, remote denial-of-service vulnerability in the Mailpit SMTP server. The vulnerability affects the go/github.com/axllent/mailpit package, allowing an attacker with network access to send an arbitrarily large message, causing the Mailpit process to consume excessive memory and potentially leading to a crash due to out-of-memory conditions. This vulnerability can be exploited by sending a large SMTP DATA payload or a large JSON body in the HTTP /api/v1/send endpoint, resulting in the attacker gaining the capability to trigger a denial-of-service condition. The business impact and consequences of exploitation include increased resource utilization, potential data loss, and system crashes. Prerequisites for exploitation include network reachability to the SMTP service and the ability to send network traffic.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update mailpit to version 1.30.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-fpxj-m5q8-fphw