CVE Catalog

CVE-2026-13164

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

32th percentile — higher than 32% of all known CVEs

Summary

Missing authentication for a critical function in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register an account. The POST /api/auth/register/ endpoint applies AllowAny permissions without email verification, CAPTCHA, or administrator approval.

Risk Assessment

An attacker can create an account that grants access to all stored email messages, leading to full disclosure of data stored in the system.

Recommendation

It is recommended to implement verification mechanisms such as email verification, CAPTCHA, and administrator approval for the registration process.

Original NVD description (English source)

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

Vulnerability data from NVD (NIST) · CISA KEV · EPSS