CVE-2026-56780
Received Received - Intake

Insecure Direct Object Reference in Modoboa Leading to Privilege Escalation

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-56780
EUVD
EUVD-2026-40155

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
modoboa modoboa to 2.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56780 is an Insecure Direct Object Reference (IDOR) vulnerability in Modoboa versions before 2.9.0, specifically in the PUT /api/v1/accounts/{pk}/password/ endpoint.

This vulnerability allows domain administrators to bypass object-level access controls and change the password of any user, including superadmin accounts.

As a result, attackers with domain admin privileges can reset superadmin passwords and achieve full account takeover.

Impact Analysis

This vulnerability can have severe impacts by allowing attackers with domain admin privileges to reset passwords of any user, including superadmins.

Such unauthorized password changes can lead to full account takeover, compromising the security and integrity of the affected system.

Attackers gaining superadmin access can control the entire Modoboa installation, potentially leading to data breaches, unauthorized access to sensitive information, and disruption of services.

Mitigation Strategies

To mitigate the CVE-2026-56780 vulnerability, you should upgrade Modoboa to version 2.9.0 or later, or apply the security fix introduced in versions 2.8.3 and 2.9.0.

The fix restricts domain administrators from changing passwords of superadmin accounts or accounts outside their domain, preventing unauthorized password changes.

Ensure that your system uses the updated API endpoint that returns a 404 error when unauthorized password change attempts are made.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart