Main Vulnerability Database Vulnerabilities #VU121946

Improper authentication in SmarterMail - CVE-2026-23760

Published: January 22, 2026 / Updated: February 6, 2026

Vulnerability identifier: #VU121946

CSH Severity: Critical

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

CVE-ID: CVE-2026-23760

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: SmarterTools Inc.

Affected software:
SmarterMail

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error in the password reset feature. A remote non-authenticated attacker can reset password of an administrative user and gain full access to the application, including ability to execute system commands.

How to mitigate CVE-2026-23760

Install updates from vendor's website.

Sources

https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
https://portal.smartertools.com/community/a97681/new-user-on-google_abc_com.aspx?ref=labs.watchtowr.com

Improper authentication in SmarterMail - CVE-2026-23760

Detailed vulnerability description

How to mitigate CVE-2026-23760

Sources

Please verify you're human