Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
AnalysisAI
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.
Technical ContextAI
This is a classic path traversal (CWE-22) vulnerability affecting the SmarterMail email server platform's REST API reporting endpoint. The /api/v1/report/summary/{type} parameter fails to properly sanitize the {type} input, allowing authenticated users to traverse outside the intended directory structure using directory traversal sequences (likely '../' patterns) to access arbitrary .json files on the filesystem. The severity escalates because SmarterMail stores sensitive credential data (passwords and TOTP 2FA secrets) in JSON format encrypted with weak algorithms and hardcoded cryptographic keys - effectively security through obscurity. Once an attacker retrieves these encrypted JSON files through the LFI, the hardcoded keys enable trivial decryption, transforming a file read vulnerability into credential disclosure affecting all users on the system. This represents a fundamental failure in both input validation (the traversal) and secure credential storage (weak crypto with embedded keys rather than using platform key stores or HSMs).
RemediationAI
Upgrade immediately to SmarterMail build 9560 or later, which addresses the path traversal vulnerability according to vendor release notes at https://www.smartertools.com/smartermail/release-notes/current. Post-upgrade, organizations must rotate ALL user passwords and regenerate all 2FA secrets system-wide, as the hardcoded encryption keys mean any previously exfiltrated credential files remain decryptable indefinitely. If immediate patching is not feasible, implement network-level restrictions to limit API endpoint access to trusted IP ranges only, though this provides incomplete protection if authenticated users access from allowed networks. Disabling the /api/v1/report/summary/* endpoints entirely through reverse proxy URL filtering (block .*/api/v1/report/summary/.* paths) prevents exploitation but may impact legitimate reporting functionality that depends on this API. Organizations should review authentication logs for anomalous API requests to /api/v1/report/summary/ with suspicious {type} parameters containing traversal sequences, and conduct forensic analysis to determine if credential files were accessed prior to patching.
More in Smartermail
View allSmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-20
SmarterTools SmarterMail prior to build 9511 contains a second critical vulnerability (CVE-2026-24423) — an unauthentica
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. Rated critical severity (CVSS
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. Rated high severity (CVSS 8.2), this vulnerab
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. Rated critical severity (CVS
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appoint
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skip
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG docu
Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web sc
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. Rated medium severity (CVSS 6.5), this vulne
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. Rated medium severity (CVSS 6.1), this vulnera
SmarterTools SmarterMail before Build 7776 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28826
GHSA-qhw2-rfvc-fvrq