Smartermail
CVE-2026-23760
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
AnalysisAI
SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-2026-23760) that allows unauthenticated attackers to reset system administrator passwords without verification. With EPSS 65% and KEV listing, this trivially exploitable vulnerability enables complete email server takeover, compromising all hosted mailboxes and organizational communications.
Technical ContextAI
The password reset API endpoint in SmarterMail does not require authentication and does not validate the existing password or any reset token before changing the password of system administrator accounts. An attacker simply needs to know (or guess) the admin username and send a POST request to the force-reset-password endpoint with a new password. This is a design flaw rather than a subtle bug — the endpoint completely lacks authorization checks.
RemediationAI
Upgrade SmarterMail to build 9511 or later immediately. If unable to patch: restrict access to the management API to trusted IPs only via firewall. Audit admin accounts for unauthorized password changes. Review mail logs for suspicious access patterns. Change all admin passwords after patching.
More in Smartermail
View allSmarterTools SmarterMail prior to build 9511 contains a second critical vulnerability (CVE-2026-24423) — an unauthentica
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. Rated critical severity (CVSS
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. Rated high severity (CVSS 8.2), this vulnerab
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. Rated critical severity (CVS
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appoint
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skip
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG docu
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traver
Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web sc
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. Rated medium severity (CVSS 6.5), this vulne
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. Rated medium severity (CVSS 6.1), this vulnera
SmarterTools SmarterMail before Build 7776 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today