πŸ”΄ CVE-2026-23760

Critical authentication bypass vulnerability in SmarterMail email server allowing complete administrative takeover via password reset API. Over 6,000 vulnerable instances are internet-facing with active exploitation confirmed by CISA KEV listing.

← Back to Overview
HIGH_RISK
Risk Level
9.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+31d)
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-22

Added to CISA KEV: 2026-01-26 4 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-01-27)

CVE-2026-23760 is a vulnerability affecting SmarterTools SmarterMail versions prior to build 9511. It is an authentication bypass vulnerability within the password reset API, allowing anonymous requests to reset system administrator accounts without verifying the existing password or a reset token [1][4].

Here's a breakdown of what is known about its exploitation:

  • Internet-facing applications or services: Yes, this vulnerability affects SmarterMail, which is an internet-facing email server software. Shadowserver has reported that over 6,000 SmarterMail servers are exposed on the internet and are likely vulnerable [5][6].
  • Evidence of active exploitation in the wild: Yes, CISA has added CVE-2026-23760 to its Known Exploited Vulnerabilities (KEV) Catalog, indicating evidence of active exploitation [3][7].
  • Attack vectors and exploitation methods: The vulnerability lies in the password reset API. An attacker can exploit this by making anonymous requests to the `force-reset-password` endpoint, which fails to properly verify credentials, thus bypassing authentication and gaining administrative access [1][2].
  • Used in targeted attacks: While the provided information confirms active exploitation and its presence in the KEV catalog, it does not specifically detail whether it has been used in targeted attacks against particular organizations.
  • CISA Known Exploited Vulnerabilities status: CVE-2026-23760 is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog [3][7]. This means CISA has confirmed evidence of its active exploitation.
  • Technical details about internet exploitability: The vulnerability is exploitable via the password reset API. Specifically, the `force-reset-password` endpoint allows for authentication bypass by permitting anonymous requests and not verifying the current password or a reset token [1][2]. This allows an attacker to reset the password for system administrator accounts. Proof-of-concept (PoC) exploits have been developed for this vulnerability [2][8].

Sources

  1. GitHub - MaxMnMl/smartermail-CVE-2026-23760-poc...

    SmarterMail-CVE-2026-23760-poc. A proof-of-concept exploiting an authentication bypass via password reset API for the SmaretMail system administrator account. Vulnerability.Unauthorized access to computer systems is illegal. About. CVE-2026-23760 - An authentication bypass via password reset API in…

  2. NVD - cve-2026-23760

    CVE-2026-23760 Detail Description SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting sys…

  3. CVE-2026-23760 : SmarterTools SmarterMail versions prior to build 9511 ...

    CVE-2026-23760 is in the CISA Known Exploited Vulnerabilities Catalog CISA vulnerability name: SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability CISA required action:…

  4. CVE-2026-23760 - Exploits & Severity

    SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API.

  5. CVE-2026-23760 Archives - Security Affairs

    Nonprofit security organization Shadowserver reported that over 6,000 SmarterMail servers are exposed on the internet and likely vulnerable to attacks exploiting a critical authentication bypass flaw tracked as CVE-2026-23760.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed