CVE-2026-23760
CISA KEVPublished January 26, 2026 · Updated April 3, 2026
What This Means
# CVE-2026-23760: SmarterMail Authentication Bypass **Vulnerability:** SmarterTools SmarterMail's `/force-reset-password` API endpoint accepts unauthenticated requests and does not validate existing passwords or reset tokens before allowing admin account password changes. **Impact:** An unauthenticated attacker can reset any administrator account password, gaining full administrative control of the SmarterMail instance without credentials. **Actions:** Immediately inventory SmarterMail deployments. Apply the vendor patch when available. Restrict network access to the password reset API endpoint. Monitor authentication logs for suspicious password reset requests. If patching is delayed, implement IP whitelisting on administrative functions or disable the affected endpoint until remediation is complete.
Official Description+
SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.
Affected Products
| Vendor | Product |
|---|---|
| SmarterTools | SmarterMail |
Patch Status
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-23760.