CVE-2026-44127 SEPPmail AG CVE debrief

Who should care

Organizations running SEPPmail Secure Email Gateway versions prior to 15.0.4, particularly those with externally accessible management interfaces. Security teams responsible for email gateway infrastructure and vulnerability management programs.

Technical summary

The vulnerability exists in the /api.app/attachment/preview endpoint where the identifier parameter fails to properly sanitize path traversal sequences. An unauthenticated remote attacker can manipulate this parameter to access files outside the intended directory, achieving arbitrary file read and file deletion capabilities. The api.app process privileges determine the scope of accessible files. The CVSS 4.0 score of 8.8 reflects the high confidentiality impact combined with low integrity and availability impacts, with no authentication or user interaction required for exploitation.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade SEPPmail Secure Email Gateway to version 15.0.4 or later
• Review access logs for suspicious requests to /api.app/attachment/preview with path traversal patterns in the identifier parameter
• Implement network segmentation to restrict access to the SEPPmail management interface
• Monitor for unexpected file access or deletion activity on the SEPPmail server
• Apply principle of least privilege to the api.app process where possible

Evidence notes

Vulnerability details sourced from NVD with references to vendor release notes and InfoGuard Labs security research. Vendor attribution based on reference domain candidate 'Seppmail' with low confidence requiring review.

Official resources