Home / Vulnerability Intelligence / CVE-2026-34752

CVE-2026-34752 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: April 3, 2026

Haraka - Denial of Service

Published: April 2, 2026Updated: April 3, 2026PoC AvailableRemote Exploitable

Overview

Haraka < 3.1.4 contains a denial of service caused by sending an email with __proto__ as a header name, letting attackers crash the worker process, exploit requires sending crafted email headers.

Severity & Score

Severity: High

CVSS Score: 7.5

Impact

Attackers can crash the mail server process, causing denial of service.

Mitigation

Update to version 3.1.4 or later.

References

https://github.com/haraka/Haraka/releases/tag/v3.1.4
https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34752
Severity: High
CVSS Score: 7.5
Type: denial_of_service
Status: confirmed

CWE

CWE-248

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H