This vulnerability exposes a critical gap in how self-hosted email platforms handle security headers, particularly in authentication workflows. The strongest version of this narrative is that it demonstrates how even well-maintained open-source projects can harbor subtle but severe flaws when trust is placed in unvalidated HTTP headers. The disclosure process here is exemplary—responsible reporting, clear documentation, and a functional proof-of-concept for verification—without sensationalism or...