CVE-2026-7864 SEPPmail AG CVE debrief

Who should care

Administrators and security teams running SEPPmail Secure Email Gateway deployments before 15.0.4, especially where the new GINA UI is reachable from untrusted networks.

Technical summary

The issue is described as an unauthenticated endpoint in the new GINA UI that exposes server environment variables. Because the request path requires no authentication and is reachable remotely, an attacker can obtain sensitive system information without prior access. The provided NVD metadata associates the weakness with CWE-497 and a network-reachable, no-auth attack profile.

Defensive priority

High for exposed SEPPmail instances below 15.0.4, because the flaw is remotely reachable and requires no authentication, even though the observed impact is information disclosure rather than code execution.

Recommended defensive actions

• Upgrade SEPPmail Secure Email Gateway to version 15.0.4 or later.
• Restrict exposure of the GINA UI to trusted management networks until patched.
• Review any logs or monitoring for requests to the affected endpoint before remediation.
• Treat exposed environment variables as potentially sensitive and rotate any secrets that may have been disclosed if exposure is confirmed.
• Validate that any compensating access controls do not leave the unauthenticated endpoint reachable from untrusted networks.

Evidence notes

The CVE description states that SEPPmail Secure Email Gateway before 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI. The provided NVD metadata lists CWE-497 as the weakness and shows a CVSS v4 network/no-auth vector with medium severity. The corpus also includes a vendor release notes reference and an InfoGuard post referenced by NCSC. NVD vulnStatus is marked Deferred in the supplied source item.

Official resources