What the vulnerability does
01Description
Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Sender: from n/a through <= 1.2.20.
Explanation of Vulnerability in Simple Terms
02Summary
Elastic Email Sender versions up to 1.2.20 lack proper authorization checks, allowing authenticated users with low privileges to disrupt service availability. An attacker with valid credentials can trigger a denial-of-service condition affecting the application's availability. This vulnerability requires valid user authentication and network access but does not compromise data confidentiality or integrity.
What an attacker can do
03Attacker Capabilities
An authenticated user can disrupt service availability by exploiting missing authorization controls.
Potential impact on your site
04Site Impact
Users may experience service interruptions or unavailability caused by authenticated attackers exploiting the authorization gap.
Conditions required to exploit
05Prerequisites
Attacker must have valid user credentials (low-privilege account) and network access to the application.
Key dates
06Disclosure timeline
December 9, 2025
CVE published
April 28, 2026
Record updated