{"api_version":"1","generated_at":"2026-07-06T08:01:30+00:00","cve":"CVE-2026-13164","urls":{"html":"https://cve.report/CVE-2026-13164","api":"https://cve.report/api/cve/CVE-2026-13164.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-13164","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-13164"},"summary":{"title":"Unauthenticated self-registration in MailerUp allows access to stored email data","description":"Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker","state":"PUBLISHED","assigner":"Secur0","published_at":"2026-06-24 17:16:56","updated_at":"2026-06-25 19:58:30"},"problem_types":["CWE-306","CWE-306 CWE-306 Missing authentication for critical function"],"metrics":[{"version":"4.0","source":"4daa8cea-433a-44bd-9456-53b127fc289a","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.8","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"}}],"references":[{"url":"https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5","name":"https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5","refsource":"4daa8cea-433a-44bd-9456-53b127fc289a","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data","name":"https://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data","refsource":"4daa8cea-433a-44bd-9456-53b127fc289a","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-13164","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13164","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mailerup","product":"Mailerup","version":"affected 1.0.1 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to version greater or equal than 1.0.1","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Dario Rivas Quero","lang":"en"},{"source":"CNA","value":"Cristian Fernandez Cornejo","lang":"en"},{"source":"CNA","value":"Mario Alvarez Fernandez","lang":"en"},{"source":"CNA","value":"Xoan M. Otero Jorge","lang":"en"},{"source":"CNA","value":"Secur0 CNA","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"13164","cve":"CVE-2026-13164","epss":"0.004060000","percentile":"0.323930000","score_date":"2026-06-29","updated_at":"2026-06-30 00:06:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-13164","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-24T16:42:15.974524Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-24T16:43:56.757Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mailerup","repo":"https://github.com/Maalfer/mailerup","vendor":"Mailerup","versions":[{"lessThan":"1.0.1","status":"affected","version":"0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:mailerup:mailerup:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.1","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Dario Rivas Quero"},{"lang":"en","type":"finder","value":"Cristian Fernandez Cornejo"},{"lang":"en","type":"remediation developer","value":"Mario Alvarez Fernandez"},{"lang":"en","type":"analyst","value":"Xoan M. Otero Jorge"},{"lang":"en","type":"coordinator","value":"Secur0 CNA"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Missing Authentication for Critical Function (CWE-306) in the <code>RegisterView</code> (<code>apps/accounts/views.py</code>), exposed at <code>POST /api/auth/register/</code>, in MailerUp &lt;1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the <code>AllowAny</code> permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker"}],"value":"Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker"}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing authentication for critical function","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T15:37:17.398Z","orgId":"4daa8cea-433a-44bd-9456-53b127fc289a","shortName":"Secur0"},"references":[{"tags":["patch"],"url":"https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5"},{"tags":["technical-description","related"],"url":"https://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrade to version greater or equal than 1.0.1"}],"value":"Upgrade to version greater or equal than 1.0.1"}],"source":{"discovery":"INTERNAL"},"title":"Unauthenticated self-registration in MailerUp allows access to stored email data","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"4daa8cea-433a-44bd-9456-53b127fc289a","assignerShortName":"Secur0","cveId":"CVE-2026-13164","datePublished":"2026-06-24T15:37:17.398Z","dateReserved":"2026-06-24T12:50:14.906Z","dateUpdated":"2026-06-24T16:43:56.757Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:16:56","lastModifiedDate":"2026-06-25 19:58:30","problem_types":["CWE-306","CWE-306 CWE-306 Missing authentication for critical function"],"metrics":{"cvssMetricV40":[{"source":"4daa8cea-433a-44bd-9456-53b127fc289a","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-24T16:42:15.974524Z","id":"CVE-2026-13164","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"13164","Ordinal":"1","Title":"Unauthenticated self-registration in MailerUp allows access to s","CVE":"CVE-2026-13164","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"13164","Ordinal":"1","NoteData":"Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker","Type":"Description","Title":"Unauthenticated self-registration in MailerUp allows access to s"}]}}}