Critical authentication bypass vulnerability in SmarterMail email server allowing complete administrative takeover via password reset API. Over 6,000 vulnerable instances are internet-facing with active exploitation confirmed by CISA KEV listing.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-22
Added to CISA KEV: 2026-01-26 4 DAYS BETWEEN CVE AND KEV
CVE-2026-23760 Detail Description SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts.
SmarterMail-CVE-2026-23760-poc. A proof-of-concept exploiting an authentication bypass via password reset API for the SmaretMail system administrator account. Vulnerability.Unauthorized access to computer systems is illegal. About. CVE-2026-23760 - An authentication bypass via password reset API in SmarterMail. Resources.
CVE-2026-23760 is in the CISA Known Exploited Vulnerabilities Catalog CISA vulnerability name: SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability CISA required action:
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API.
Nonprofit security organization Shadowserver reported that over 6,000 SmarterMail servers are exposed on the internet and likely vulnerable to attacks exploiting a critical authentication bypass flaw tracked as CVE-2026-23760.