CVE-2026-41232

MEDIUM 5.0

Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

CWE	CWE-863
Vendor	froxlor
Product	froxlor
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for froxlor froxlor

Be the first to know when new medium vulnerabilities affecting froxlor froxlor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

froxlor / froxlor

< 2.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6 github.com: https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a github.com: https://github.com/froxlor/froxlor/releases/tag/2.3.6