Skip to main content

Python CVE-2026-27602

| EUVDEUVD-2026-15951 HIGH
OS Command Injection (CWE-78)
2026-03-25 https://github.com/modoboa/modoboa GHSA-wwv8-cqpr-vx3m
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 17:17 euvd
EUVD-2026-15951
Analysis Generated
Mar 25, 2026 - 17:17 vuln.today
Patch released
Mar 25, 2026 - 17:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 17:03 nvd
HIGH 7.2

DescriptionGitHub Advisory

Summary

exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.

Details

The root cause is in modoboa/lib/sysutils.py:31:

python
kwargs["shell"] = True
process = subprocess.Popen(cmd, **kwargs)

When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:

python
exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")

If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.

The same pattern appears in several other places:

  • modoboa/admin/jobs.py:38 - mailbox rename via mv using full_address
  • modoboa/amavis/lib.py:202 - sa-learn using domain.name
  • modoboa/admin/models/mailbox.py:150 - doveadm user using full_address
  • modoboa/maillog/graphics.py:105-107 - rrdtool using domain.name
  • modoboa/webmail/models.py:54-57 - doveadm move/delete using account.email

PoC

  1. Deploy modoboa <= 2.7.0
  2. Log in as a Reseller or SuperAdmin
  3. Create a new domain named $(id>/tmp/proof).example.com with DKIM enabled
  4. SSH into the server and read /tmp/proof

Something like this will be displayed:

uid=0(root) gid=0(root) groups=0(root)

Confirmed on commit b521bcb4f (latest main at time of discovery).

Impact

An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server - in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.

AnalysisAI

Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.

Technical ContextAI

This vulnerability stems from CWE-78 (OS Command Injection) in the exec_cmd() function within modoboa/lib/sysutils.py, which unconditionally sets shell=True when invoking subprocess.Popen(). The affected product is identified by CPE pkg:pip/modoboa. Multiple code paths pass unsanitized user-controlled data (domain names, email addresses, mailbox names) directly into shell command strings that invoke external utilities including openssl (for DKIM key generation), mv (mailbox operations), sa-learn (spam filtering via Amavis), doveadm (Dovecot administration), and rrdtool (logging graphics). When shell=True is enabled, subprocess executes commands through /bin/sh, allowing shell metacharacters like $(), backticks, semicolons, and pipes to break out of the intended command context and execute arbitrary code. Six distinct injection points have been identified across the codebase, all sharing the same root cause of shell-enabled subprocess calls combined with missing input validation.

RemediationAI

Upgrade Modoboa to version 2.7.1 or later, which addresses the command injection vulnerability through proper input sanitization and safer subprocess invocation patterns. The fix commit is available at https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa and the patched release can be obtained from https://github.com/modoboa/modoboa/releases/tag/2.7.1. Organizations unable to immediately upgrade should implement compensating controls including restricting Reseller and SuperAdmin account creation to only highly trusted administrators, implementing additional input validation at the web application firewall layer to block domain names containing shell metacharacters, auditing existing domain names for suspicious patterns, and monitoring system logs for unexpected process executions from the Modoboa application context. Network segmentation limiting the mail server's ability to initiate outbound connections can also reduce post-exploitation impact.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-27602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy