Executive Summary

CVE-2026-23760 is a critical authentication bypass vulnerability in SmarterTools SmarterMail versions prior to build 9511. The flaw exists in the password reset API's force-reset-password endpoint, which allows anonymous requests without verifying the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can submit a target administrator username and a new password to reset the account password, resulting in full administrative access to the SmarterMail instance. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to reset the password of any system administrator account without verification, leading to full administrative compromise of the SmarterMail server. Once administrative access is gained, the attacker can execute arbitrary operating system commands with SYSTEM-level privileges via SmarterMail's features, resulting in complete system compromise including remote code execution (RCE). This can lead to data breaches, service disruption, and unauthorized control over the affected system. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the `/api/v1/auth/force-reset-password` endpoint, especially those containing JSON payloads with `IsSysAdmin: true` and administrator usernames. A proof of concept involves sending such a POST request with a new password to reset the admin account without authentication. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such suspicious requests. For manual detection, you can use tools like curl to test the endpoint (on a non-production system) or check web server logs for POST requests to this endpoint with suspicious payloads. Example curl command to test (do not run on production without authorization): ``` curl -X POST https://<smartermail-server>/api/v1/auth/force-reset-password \ -H "Content-Type: application/json" \ -d '{"IsSysAdmin":true,"Username":"admin","NewPassword":"NewPass123!","ConfirmPassword":"NewPass123!"}' ``` If the response indicates success without authentication, the system is vulnerable. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade SmarterMail to build 9511 or later, as this patch enforces validation of the old password before allowing a password reset for administrator accounts. This update was released on January 15, 2026, and addresses the authentication bypass vulnerability. Additionally, restrict access to the password reset API endpoint if possible, monitor logs for suspicious activity targeting this endpoint, and apply network-level protections such as firewall rules or WAF policies to block unauthorized requests. Prompt patching is critical due to confirmed active exploitation shortly after the patch release. [2, 3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to gain full administrative access to SmarterMail instances by bypassing authentication in the password reset API. Such a compromise can lead to unauthorized access to sensitive personal and health information stored or processed by the mail server, potentially resulting in violations of data protection regulations like GDPR and HIPAA. The full administrative compromise and potential for remote code execution increase the risk of data breaches, unauthorized data modification, and loss of data integrity and availability, all of which negatively impact compliance with these standards. Immediate patching is critical to mitigate these risks. [1, 2]

Useful 0 Not Useful 0