Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.
Details
The root cause is in modoboa/lib/sysutils.py:31:
kwargs["shell"] = True
process = subprocess.Popen(cmd, **kwargs)When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:
exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.
The same pattern appears in several other places:
modoboa/admin/jobs.py:38- mailbox rename viamvusingfull_addressmodoboa/amavis/lib.py:202-sa-learnusingdomain.namemodoboa/admin/models/mailbox.py:150-doveadm userusingfull_addressmodoboa/maillog/graphics.py:105-107-rrdtoolusingdomain.namemodoboa/webmail/models.py:54-57-doveadm move/deleteusingaccount.email
PoC
- Deploy modoboa <= 2.7.0
- Log in as a Reseller or SuperAdmin
- Create a new domain named
$(id>/tmp/proof).example.comwith DKIM enabled - SSH into the server and read
/tmp/proof
Something like this will be displayed:
uid=0(root) gid=0(root) groups=0(root)Confirmed on commit b521bcb4f (latest main at time of discovery).
Impact
An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server - in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.
AnalysisAI
Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.
Technical ContextAI
This vulnerability stems from CWE-78 (OS Command Injection) in the exec_cmd() function within modoboa/lib/sysutils.py, which unconditionally sets shell=True when invoking subprocess.Popen(). The affected product is identified by CPE pkg:pip/modoboa. Multiple code paths pass unsanitized user-controlled data (domain names, email addresses, mailbox names) directly into shell command strings that invoke external utilities including openssl (for DKIM key generation), mv (mailbox operations), sa-learn (spam filtering via Amavis), doveadm (Dovecot administration), and rrdtool (logging graphics). When shell=True is enabled, subprocess executes commands through /bin/sh, allowing shell metacharacters like $(), backticks, semicolons, and pipes to break out of the intended command context and execute arbitrary code. Six distinct injection points have been identified across the codebase, all sharing the same root cause of shell-enabled subprocess calls combined with missing input validation.
RemediationAI
Upgrade Modoboa to version 2.7.1 or later, which addresses the command injection vulnerability through proper input sanitization and safer subprocess invocation patterns. The fix commit is available at https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa and the patched release can be obtained from https://github.com/modoboa/modoboa/releases/tag/2.7.1. Organizations unable to immediately upgrade should implement compensating controls including restricting Reseller and SuperAdmin account creation to only highly trusted administrators, implementing additional input validation at the web application firewall layer to block domain names containing shell metacharacters, auditing existing domain names for suspicious patterns, and monitoring system logs for unexpected process executions from the Modoboa application context. Network segmentation limiting the mail server's ability to initiate outbound connections can also reduce post-exploitation impact.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15951
GHSA-wwv8-cqpr-vx3m