Which versions of SmarterMail are affected by CVE-2026-7807?

SmarterMail servers below build 9560 contain a critical authentication bypass vulnerability allowing authenticated users to extract and decrypt stored passwords and two-factor authentication secrets…. A patch is available.

How to fix or mitigate CVE-2026-7807?

Within 24 hours: Identify all SmarterMail deployments and current build versions (check Administration > About). Within 7 days: Apply vendor patch to build 9560 or later on all SmarterMail servers; test in non-production environment first. Within 30 days: Audit access logs for /api/v1/report/summary/{type} endpoint access; reset credentials for all system users as a precautionary measure; enforce multi-factor authentication on administrative accounts using external authenticators not stored on the SmarterMail server.

SmarterMail CVE-2026-7807

Q: What is the CVSS score of CVE-2026-7807?

CVE-2026-7807 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28826 HIGH

Path Traversal (CWE-22)

2026-05-08 VulnCheck

GHSA-qhw2-rfvc-fvrq

Path Traversal

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 08, 2026 - 20:34 vuln.today

CVSS changed

May 08, 2026 - 20:22 NVD

8.1 (HIGH) 8.7 (HIGH)

CVE Published

May 08, 2026 - 19:54 nvd

HIGH 8.7

DescriptionNVD

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

AnalysisAI

{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. …

RemediationAI

{type} endpoint access; reset credentials for all system users as a precautionary measure; enforce multi-factor authentication on administrative accounts using external authenticators not stored on the SmarterMail server.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7807 vulnerability details – vuln.today

Back

SmarterMail CVE-2026-7807

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

SmarterMail CVE-2026-7807

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code