CVE-2026-3794
📋 TL;DR
This vulnerability allows attackers to bypass authentication in DoraCMS 3.0.x by exploiting the Email API endpoint /api/v1/mail/send. Attackers can remotely send emails without proper authentication, potentially leading to spam, phishing, or information disclosure. All systems running vulnerable versions of DoraCMS with the Email API exposed are affected.
💻 Affected Systems
- doramart DoraCMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could send malicious emails from the system, enabling phishing campaigns, spam distribution, or data exfiltration through email attachments, potentially damaging reputation and causing regulatory violations.
Likely Case
Unauthorized email sending leading to spam distribution, potential phishing attacks using the organization's domain, and possible information disclosure through email content.
If Mitigated
Limited impact with proper network segmentation and API access controls, potentially only affecting isolated test environments.
🎯 Exploit Status
The exploit is publicly available and can be launched remotely without authentication, making it easy for attackers to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or implement workarounds.
🔧 Temporary Workarounds
Block Email API Endpoint
allRestrict access to the vulnerable /api/v1/mail/send endpoint using web server configuration or firewall rules.
# For Apache: RewriteRule ^/api/v1/mail/send - [F,L]
# For Nginx: location /api/v1/mail/send { deny all; }
Implement API Authentication
allAdd authentication middleware to the Email API endpoint to require valid credentials before processing requests.
# Modify the API route to include authentication check
# Example: app.post('/api/v1/mail/send', authenticate, sendMail);
🧯 If You Can't Patch
- Implement network segmentation to isolate the DoraCMS instance from sensitive systems
- Deploy a Web Application Firewall (WAF) with rules to block unauthorized access to the Email API endpoint
🔍 How to Verify
Check if Vulnerable:
Test if you can send an email via POST request to /api/v1/mail/send without authentication. Use curl: curl -X POST http://[target]/api/v1/mail/send -d '{"to":"test@example.com","subject":"test","body":"test"}'Check Version:
Check DoraCMS version in admin panel or configuration files. Typically in package.json or similar configuration.Verify Fix Applied:
After implementing workarounds, verify that unauthorized POST requests to /api/v1/mail/send return authentication errors or are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /api/v1/mail/send from unauthorized IPs
- Email sending logs showing messages from unauthenticated users
Network Indicators:
- HTTP POST requests to /api/v1/mail/send without authentication headers
- Unusual outbound SMTP traffic from the DoraCMS server
SIEM Query:
source="web_server" AND uri_path="/api/v1/mail/send" AND http_method="POST" AND NOT (user_agent="legitimate_client" OR src_ip="trusted_ip")