CVE-2026-23760
CVE-2026-23760 is a critical-severity vulnerability in Smartertools Smartermail with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-01-26). The underlying weakness is classified as CWE-288.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 96% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-01-26)
- EU (EUVD) id: EUVD-2026-4143
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-01-26)
- Weakness: CWE-288
- Affected product: Smartertools Smartermail
- Published:
- Last modified:
Description
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
CVE-2026-23760: SmarterMail Authentication Bypass via Force-Reset-Password API
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2026-23760 |
| Published | 2026-01-22 |
| Severity (CVSS 3.1) | 9.8 CRITICAL |
| Severity (CVSS 4.0) | 9.3 CRITICAL |
| CWE | CWE-288: Authentication Bypass Using an Alternate Path or Channel |
| EPSS | 0.96268 (99.87th percentile) |
| KEV | Yes — added 2026-01-26 |
| EU Exploited | Yes — since 2026-01-26 (EUVD-2026-4143) |
| Assigner | [email protected] |
Summary
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
Background
SmarterMail is a widely deployed email and collaboration server developed by SmarterTools. It provides webmail, calendaring, instant messaging, and system administration capabilities. The product is commonly used by hosting providers and enterprises as a self-hosted alternative to cloud email services. The vulnerability resides in the password reset API logic, which was intended to allow legitimate password recovery flows but did not enforce authentication for the critical force-reset-password endpoint when targeting system administrator accounts.
Root Cause
The vulnerability maps to CWE-288: Authentication Bypass Using an Alternate Path or Channel. The API endpoint responsible for forcing password resets fails to validate that the requesting party is authenticated or in possession of a valid password reset token. Specifically, when the endpoint processes a request to reset a system administrator password, it does not require the caller to provide the existing password or a time-limited reset token. This design flaw creates an alternate authentication path that completely bypasses the normal identity verification flow. The missing authorization check allows any unauthenticated network actor to trigger a privileged account reset.
Impact
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (CRITICAL). The CVSS 4.0 vector similarly rates the issue at 9.3 (CRITICAL). The metrics confirm the following risk profile:
- Attack Vector (AV): Network — The vulnerable endpoint is exposed to remote attackers without requiring local network access.
- Attack Complexity (AC): Low — No special conditions or pre-conditions are needed; the endpoint responds predictably to a crafted request.
- Privileges Required (PR): None — The attacker does not need valid credentials or an account of any kind.
- User Interaction (UI): None — The exploit does not require a legitimate user to click a link or perform an action.
- Scope (S): Unchanged — The vulnerable component is the mail server itself; the impact does not cross a security boundary into another component, though full host compromise is possible through the admin console.
- Confidentiality, Integrity, Availability (C/I/A): High / High / High — Administrative access allows reading all mail, modifying configurations, and disrupting service availability. Because the admin console includes OS command execution capabilities, the underlying host’s confidentiality, integrity, and availability are also at risk.
With an EPSS score of 0.96268 (99.87th percentile), the probability of active exploitation in the wild is extremely high. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on 2026-01-26, and the EU Exploited Vulnerabilities Database (EUVD-2026-4143) also lists it as exploited since that same date.
Exploitation Walkthrough (Defensive Perspective)
Ethics & Legal Notice: The following description is provided from a defensive, generic viewpoint to help security teams understand the attack surface and implement detection. Do not attempt unauthorized access to systems you do not own or operate.
An attacker who can reach the SmarterMail web interface over the network can identify the password reset endpoint used for system administrator accounts. By crafting a request that omits both the existing password and a reset token, the attacker forces a password change for a known or guessed administrator username. Once the password is reset, the attacker logs into the admin console with the newly set credentials. From the admin console, the attacker can leverage built-in management functions to execute operating system commands on the host, effectively elevating from a mail-server compromise to full host control. No specialized exploit framework is required; the attack can be carried out with common HTTP client tools.
Defenders should note that the exploitation pattern is simple, fast, and highly reproducible, which explains the very high EPSS and rapid KEV inclusion.
Affected and Patched Versions
- Affected Product: SmarterTools SmarterMail (
cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*) - Affected Versions: All versions prior to build 9511 are affected. The specific vulnerable build threshold is not explicitly stated in the NVD record beyond "versions prior to build 9511."
- Patched Version: Build 9511 or later. Refer to the SmarterMail release notes for the exact build that contains the fix.
Organizations should verify their installed build number via the SmarterMail admin console or file-system metadata and upgrade immediately if they are running a build earlier than 9511.
Remediation
- Upgrade immediately. Install SmarterMail build 9511 or later. The patch removes the anonymous
force-reset-passwordpath for system administrator accounts and restores proper authentication requirements. - Compensating controls until patched:
- Restrict network access to the SmarterMail admin and password-reset endpoints to trusted IP ranges or a VPN bastion.
- Implement web-application firewall (WAF) rules that block or alert on unauthenticated POST requests to the password-reset endpoint targeting administrator usernames.
- Disable or rename default admin accounts if possible, and enforce multi-factor authentication (MFA) on all admin accounts that can be accessed through alternate paths.
- Post-incident hardening:
- Review admin account logs for unauthorized password resets.
- Audit host-level OS command execution history and file integrity.
- Rotate all admin credentials and API keys that may have been accessible from the compromised host.
Detection
Security teams can monitor for this attack using the following detection opportunities:
- Web server logs: Look for HTTP POST requests to the password-reset endpoint that do not carry a valid session cookie or reset token and that result in a subsequent successful login for the same administrator account.
- Authentication logs: Alert on administrator logins from unusual source IP addresses, user-agent strings, or geolocations, especially if the login occurs shortly after a password change event.
- Admin console audit logs: Monitor for unexpected OS command execution or configuration changes initiated by system administrator accounts.
- Endpoint detection (EDR/XDR): Flag new process creation by the SmarterMail worker process identity, especially command shells or script interpreters, as this may indicate the attacker leveraging admin-level OS command execution.
- Threat intelligence: Compare EPSS and KEV status against your vulnerability scan results to prioritize patching.
Assessment
CVE-2026-23760 is a textbook example of a missing authentication check on a critical administrative action. The EPSS score of 0.96268 and KEV inclusion within four days of publication indicate that this vulnerability is being exploited at scale. The additional EU exploited classification (EUVD-2026-4143) further confirms that threat actors across multiple jurisdictions are actively leveraging it.
Key lessons:
- Password-reset endpoints must always authenticate the caller. Any endpoint that can alter credentials for privileged accounts should require the current password, a time-limited signed token, or an out-of-band verified identity assertion. Anonymous paths to password reset are almost always critical vulnerabilities.
- Admin consoles that expose OS command execution multiply impact. The CVSS base score is already CRITICAL, but the practical risk is higher because the compromised mail server can be used as a launchpad for deeper host and network compromise. Architecture reviews should evaluate whether admin consoles truly need OS-level command execution, and if so, whether that functionality is isolated and audited.
References
- https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail
- https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
- https://www.smartertools.com/smartermail/release-notes/current
- https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760
- https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce
Frequently asked questions
- What is CVE-2026-23760?
- SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
- How severe is CVE-2026-23760?
- CVE-2026-23760 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-23760 being actively exploited?
- Yes. CVE-2026-23760 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-01-26, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-23760?
- CVE-2026-23760 affects Smartertools Smartermail. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-23760?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-23760 have an EU (EUVD) identifier?
- Yes. CVE-2026-23760 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4143. It is also flagged as exploited in the EUVD (since 2026-01-26).
- When was CVE-2026-23760 published?
- CVE-2026-23760 was published on 2026-01-22 and last updated on 2026-06-17.
References
- https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail
- https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
- https://www.smartertools.com/smartermail/release-notes/current
- https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760
- https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce
Affected products (1)
- cpe:2.3:a:smartertools:smartermail:*:*:*:*:*:*:*:*
More vulnerabilities in Smartertools Smartermail
- CVE-2025-52691 — Critical (CVSS 10.0): Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any…
- CVE-2026-24423 — Critical (CVSS 9.8): SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in…
- CVE-2021-32234 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
- CVE-2019-7214 — Critical (CVSS 9.8): SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker…
- CVE-2019-7212 — High (CVSS 8.2): SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access…
- CVE-2026-7807 — High (CVSS 8.1): SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the…
All CVEs affecting Smartertools Smartermail →
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…