CVE-2026-23760
📋 TL;DR
CVE-2026-23760 is an authentication bypass vulnerability in SmarterMail's password reset API that allows unauthenticated attackers to reset administrator passwords. This leads to full administrative compromise of the email server, potentially granting SYSTEM/root access on the underlying host. All SmarterMail instances prior to build 9511 are affected.
💻 Affected Systems
- SmarterTools SmarterMail
📦 What is this software?
Smartermail by Smartertools
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SmarterMail instance leading to SYSTEM/root access on the host, data exfiltration, ransomware deployment, and lateral movement within the network.
Likely Case
Administrative takeover of the email server, access to all email accounts, and potential command execution on the underlying operating system.
If Mitigated
Limited impact if proper network segmentation, access controls, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with minimal technical knowledge. Multiple public exploit scripts and detailed analysis are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 9511 or later
Vendor Advisory: https://www.smartertools.com/smartermail/release-notes/current
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download and install SmarterMail build 9511 or later from the official website. 3. Restart the SmarterMail service. 4. Verify the update was successful by checking the build number.
🔧 Temporary Workarounds
Network Access Control
allBlock external access to the SmarterMail web interface/API using firewall rules
Web Application Firewall
allImplement WAF rules to block requests to the force-reset-password endpoint
🧯 If You Can't Patch
- Isolate the SmarterMail server from the internet and restrict access to trusted internal networks only
- Implement strict network monitoring and alerting for any password reset attempts on administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check the SmarterMail build number in the web interface under Help > About. If the build number is lower than 9511, the system is vulnerable.Check Version:
Not applicable - check via web interface at /help/about or in SmarterMail administration panelVerify Fix Applied:
After updating, verify the build number is 9511 or higher in Help > About. Test that the force-reset-password endpoint now requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /api/v1/authentication/force-reset-password
- Unusual administrator password reset events
- Failed authentication attempts followed by successful password resets
Network Indicators:
- Unusual traffic patterns to the password reset API endpoint
- External IP addresses accessing administrative functions
SIEM Query:
source="smartermail" AND (uri_path="/api/v1/authentication/force-reset-password" OR event_type="password_reset")🔗 References
- https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail
- https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
- https://www.smartertools.com/smartermail/release-notes/current
- https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-23760
- https://www.huntress.com/blog/smartermail-account-takeover-leading-to-rce
