Skip to main content

SmarterMail CVE-2026-7807

| EUVDEUVD-2026-28826 HIGH
Path Traversal (CWE-22)
2026-05-08 VulnCheck GHSA-qhw2-rfvc-fvrq
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVSS changed
May 08, 2026 - 20:22 NVD
8.1 (HIGH) 8.7 (HIGH)
CVE Published
May 08, 2026 - 19:54 nvd
HIGH 8.7

DescriptionCVE.org

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

AnalysisAI

Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.

Technical ContextAI

This is a classic path traversal (CWE-22) vulnerability affecting the SmarterMail email server platform's REST API reporting endpoint. The /api/v1/report/summary/{type} parameter fails to properly sanitize the {type} input, allowing authenticated users to traverse outside the intended directory structure using directory traversal sequences (likely '../' patterns) to access arbitrary .json files on the filesystem. The severity escalates because SmarterMail stores sensitive credential data (passwords and TOTP 2FA secrets) in JSON format encrypted with weak algorithms and hardcoded cryptographic keys - effectively security through obscurity. Once an attacker retrieves these encrypted JSON files through the LFI, the hardcoded keys enable trivial decryption, transforming a file read vulnerability into credential disclosure affecting all users on the system. This represents a fundamental failure in both input validation (the traversal) and secure credential storage (weak crypto with embedded keys rather than using platform key stores or HSMs).

RemediationAI

Upgrade immediately to SmarterMail build 9560 or later, which addresses the path traversal vulnerability according to vendor release notes at https://www.smartertools.com/smartermail/release-notes/current. Post-upgrade, organizations must rotate ALL user passwords and regenerate all 2FA secrets system-wide, as the hardcoded encryption keys mean any previously exfiltrated credential files remain decryptable indefinitely. If immediate patching is not feasible, implement network-level restrictions to limit API endpoint access to trusted IP ranges only, though this provides incomplete protection if authenticated users access from allowed networks. Disabling the /api/v1/report/summary/* endpoints entirely through reverse proxy URL filtering (block .*/api/v1/report/summary/.* paths) prevents exploitation but may impact legitimate reporting functionality that depends on this API. Organizations should review authentication logs for anomalous API requests to /api/v1/report/summary/ with suspicious {type} parameters containing traversal sequences, and conduct forensic analysis to determine if credential files were accessed prior to patching.

CVE-2026-23760 CRITICAL POC
9.8 Jan 22

SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-20

CVE-2026-24423 CRITICAL POC
9.8 Jan 23

SmarterTools SmarterMail prior to build 9511 contains a second critical vulnerability (CVE-2026-24423) — an unauthentica

CVE-2019-7214 CRITICAL POC
9.8 Apr 24

SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. Rated critical severity (CVSS

CVE-2019-7212 HIGH POC
8.2 Apr 24

SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. Rated high severity (CVSS 8.2), this vulnerab

CVE-2021-32234 CRITICAL
9.8 Nov 17

SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. Rated critical severity (CVS

CVE-2023-48116 MEDIUM POC
5.4 Dec 21

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appoint

CVE-2023-48115 MEDIUM POC
5.4 Dec 21

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skip

CVE-2023-48114 MEDIUM POC
5.4 Dec 21

SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG docu

CVE-2012-2578 MEDIUM POC
4.3 Sep 19

Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web sc

CVE-2019-7213 MEDIUM
6.5 Apr 24

SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. Rated medium severity (CVSS 6.5), this vulne

CVE-2021-43977 MEDIUM
6.1 Nov 17

SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. Rated medium severity (CVSS 6.1), this vulnera

CVE-2021-32233 MEDIUM
6.1 Jul 06

SmarterTools SmarterMail before Build 7776 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely

Share

CVE-2026-7807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy