cve detail

CVE-2026-23760

naam

SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability

SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.

KEV

bekend misbruikt

EPSS

80%

percentiel

99%

vendor

SmarterTools

product

SmarterMail

toegevoegd aan KEV

26 jan 2026

due date

16 feb 2026

ransomware

Known

CWE

CWE-288

EPSS datum

12 mei 2026

aanbevolen actie

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

notities

https://www.smartertools.com/smartermail/release-notes/current ; https://nvd.nist.gov/vuln/detail/CVE-2026-23760