CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability

Vulnerability Name

SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability

Description

SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.

Known To Be Used in Ransomware Campaigns?

Known

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://www.smartertools.com/smartermail/release-notes/current

https://nvd.nist.gov/vuln/detail/CVE-2026-23760

Related News Articles

China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa RansomwareApril 7, 2026

Microsoft links Medusa ransomware affiliate to zero-day attacksApril 7, 2026

Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail ServerFebruary 10, 2026

Hackers breach SmarterTools network using flaw in its own softwareFebruary 10, 2026

SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 ScoreJanuary 30, 2026