Email Validation Bypass

[TheCyberDesk]

Current Behavior

Affected Endpoint: PUT /api/client/account/email

Current Behaviour
The email validation on the account update endpoint can be bypassed using escape characters (), allowing storage of RFC 2822 non-compliant email addresses in the database.

What happens:

Email addresses containing special characters (backticks, pipes, shell metacharacters) prefixed with \ bypass Laravel's email validation rule
Malformed email addresses are successfully stored in the users.email database column
Email operations (password reset, notifications) fail with Symfony\Component\Mime\Exception\RfcComplianceException errors
Laravel logs fill with RFC 2822 compliance errors
Example malformed emails that bypass validation:

\$(touch /tmp/PWNED)test@example.com
\`command\`user@example.com
\|pipe|test@example.com

Evidence in logs:

[2026-02-16 00:50:10] local.ERROR: Email "\$(touch /tmp/PWNED)test@example.com" 
does not comply with addr-spec of RFC 2822. 
(Symfony\Component\Mime\Exception\RfcComplianceException)

Note: While I explored potential command injection scenarios during testing, I was unable to achieve code execution. The issue is limited to data integrity and email functionality failures.

Expected Behavior

1. The email validation should reject all email addresses that don't comply with RFC 2822
2. Email addresses containing escape sequences or special characters should be rejected at the API level
3. Only valid, RFC-compliant email addresses should be stored in the database
4. Email operations should function reliably for all stored addresses

Steps to Reproduce

API Request Interception
Use Burp Suite or similar proxy tool
Log into the panel and navigate to account settings
Intercept the PUT /api/client/account/email request
Modify the request body:

{
    "email": "\\$(touch /tmp/PWNED)test@example.com",
    "password": "YourPassword123"
}

Forward the modified request
Observe: Response 204 No Content (success)

Panel Version

1.12.1

Wings Version

1.12.1

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

[2026-02-16 00:50:10] local.ERROR: Email "\$(touch /tmp/PWNED)test@example.com" 
does not comply with addr-spec of RFC 2822. 
(Symfony\Component\Mime\Exception\RfcComplianceException)

Is there an existing issue for this?

• I have searched the existing issues before opening this issue. I understand that maintainers may close this issue without communication if I have not provided sufficient information.

[EgoMaw]

Digging a bit into this, that happens because egulias/EmailValidator allows some warnings through on the standard validation, if you set the email validation to be strict

['email' => 'required|email:strict|between:1,191|unique:users,email']

then those emails are no longer allowed. I personally don't see a big need for strictly enforcing the spec since it doesn't allow for any security issues, plus whoever updates/sets their email to anything similar to your attempts, will face issues logging in/updating their email from the front-end too.

[DaneEveritt]

Yeah I'm good with email:strict here.