CVE-2026-41232
Authorization Bypass in Froxlor EmailSender Allows Spoofing
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| froxlor | froxlor | to 2.3.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41232 is a vulnerability in Froxlor server administration software versions prior to 2.3.6. The issue occurs in the EmailSender::add() function, where the domain ownership validation for full email sender aliases incorrectly uses the local part of the email address instead of the domain part when checking ownership. This means the system mistakenly validates ownership for non-existent domains named after the local part, causing the ownership check to always pass.
As a result, any authenticated customer can add sender aliases for email addresses on domains owned by other customers. Postfix's sender_login_maps then authorizes sending emails as those forged addresses, enabling cross-customer email spoofing.
The vulnerability is fixed in Froxlor version 2.3.6 by correcting the array index used to validate the domain part of the email address.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated customers to add sender aliases for email addresses on domains belonging to other customers, enabling cross-customer email spoofing. This can lead to phishing attacks and damage to the reputation of legitimate domains.
Such unauthorized email spoofing and potential phishing can result in violations of data protection and privacy regulations like GDPR and HIPAA, which require organizations to protect personal data and ensure secure communication channels.
By compromising multi-tenant isolation and allowing impersonation of other customers' email addresses, the vulnerability undermines the integrity and trustworthiness of email communications, which are critical for compliance with these standards.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to impersonate email addresses from domains owned by other customers on the same Froxlor server. Attackers can send emails that appear to come from legitimate domains, bypassing Postfix's sender restrictions.
The impact includes the potential for phishing attacks, reputation damage, and abuse of the mail server to send spoofed emails. Since the emails originate from the legitimate mail server, they may pass SPF and DKIM checks if those DNS records point to the Froxlor server, making detection harder.
This compromises multi-tenant isolation and trust in the email system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect domain ownership validation in Froxlor's EmailSender::add() function, allowing unauthorized sender aliases. Detection involves verifying if the Froxlor version is prior to 2.3.6 and checking for unauthorized sender aliases in the system.
You can inspect the mail_sender_aliases.allowed_sender entries in the database to identify sender aliases that do not belong to the authenticated customer's domains.
Additionally, monitoring Postfix logs for unusual sender_login_maps authorizations or emails sent from unexpected sender aliases may help detect exploitation.
- Check Froxlor version: `dpkg -l | grep froxlor` or equivalent package manager commands.
- Query the database for sender aliases with domains not owned by the authenticated user, e.g., using SQL: `SELECT * FROM mail_sender_aliases WHERE allowed_sender LIKE '%@otherdomain.com';`
- Review Postfix logs for sender_login_maps authorizations: `grep 'sender_login_maps' /var/log/mail.log` or equivalent.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Froxlor to version 2.3.6 or later, where the domain ownership validation bug in EmailSender::add() is fixed.
If immediate upgrade is not possible, restrict authenticated customers from adding sender aliases until the fix can be applied.
Review and clean existing sender aliases in the database to remove any unauthorized aliases that could be exploited.
Monitor Postfix logs for suspicious sender_login_maps authorizations and block or investigate any unauthorized email sending.