Skip to main content

Froxlor CVE-2026-41232

| EUVD-2026-25186 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-23 GitHub_M
Authentication Bypass Froxlor
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:02 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:08 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 05:00 euvd
EUVD-2026-25186
Analysis Generated
Apr 23, 2026 - 05:00 vuln.today
CVE Published
Apr 23, 2026 - 03:54 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

AnalysisAI

Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as customer account
Delivery
Access email alias management interface
Exploit
Submit spoofed sender alias
Execution
Bypass domain ownership validation
Impact
Send email as victim address
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated customer account on a Froxlor instance with email sender alias functionality enabled (standard configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents moderate real-world risk despite the 5.0 CVSS score, which reflects its limited scope (same administrative domain only, not cross-system). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious customer on a shared Froxlor-managed hosting platform authenticates to their account and navigates to the email sender alias management interface. They attempt to add a sender alias for user@competitor.com, a domain belonging to a different customer. …
Remediation Upgrade to Froxlor version 2.3.6 or later immediately to apply the vendor-released patch, which corrects the array indexing error in EmailSender::add() to properly validate domain ownership. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41232 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy