CVE-2026-56780

HIGH 7.5

Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.

CWE	CWE-639
Vendor	modoboa
Product	modoboa
Published	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for modoboa modoboa

Be the first to know when new high vulnerabilities affecting modoboa modoboa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

modoboa / modoboa

0 < 2.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/modoboa/modoboa/pull/4038 github.com: https://github.com/modoboa/modoboa/commit/a1878c4920a6e47c3217c6ff1ed4a8753c202661 vulncheck.com: https://www.vulncheck.com/advisories/modoboa-insecure-direct-object-reference-in-account-password-change-api

Credits

George Chen