CVE-2026-13164

UNKNOWN 0.0

Unauthenticated self-registration in MailerUp allows access to stored email data

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

CWE	CWE-306
Vendor	mailerup
Product	mailerup
Published	Jun 24, 2026
Last Updated	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for mailerup mailerup

Be the first to know when new unknown vulnerabilities affecting mailerup mailerup are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Mailerup / Mailerup

0 < 1.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Maalfer/mailerup/commit/99eb6d4586134bf3f4422093fbf47d6794ef0ee5 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-13164-unauthenticated-self-registration-in-mailerup-allows-access-to-stored-email-data

Credits

Dario Rivas Quero Cristian Fernandez Cornejo Mario Alvarez Fernandez Xoan M. Otero Jorge Secur0 CNA