CVE-2026-13164 | Missing Authentication for Critical Function (CWE-306) in th… | CVSS 8.8 HIGH

Description

Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, because the endpoint applies the AllowAny permission with no email verification, CAPTCHA, or administrator approval. Any account created this way can read all email stored by the instance, resulting in full disclosure of stored messages to an arbitrary unauthenticated attacker

Metadata

CVE ID: CVE-2026-13164
State: PUBLISHED
Assigner: Secur0
Reserved: 2026-06-24 12:50 UTC
Published: 2026-06-24 15:37 UTC
Last updated: 2026-06-24 16:43 UTC
Primary CWE: CWE-306
CWE-306 Missing authentication for critical function
Vendor / Product: Mailerup / Mailerup
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Mailerup	Mailerup	—	0 < 1.0.1

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306 Missing authentication for critical function

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)