CVE-2026-23760
SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
| CWE | CWE-288 |
| Vendor | smartertools |
| Product | smartermail |
| Published | Jan 22, 2026 |
| Last Updated | Mar 5, 2026 |
Get instant alerts for smartertools smartermail
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2026-23760.