SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API

Advisories

severity: critical
date: 1/22/2026
Affecting: SmarterMail < 100.0.9511
CVE: CVE-2026-23760
CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: SmarterMail Release Notes
watchTowr Blog and PoC
CODE WHITE Vulnerability List
Credit: Piotr Bazydlo & Sina Kheirkhah of watchTowr, Markus Wulftange of CODE WHITE GmbH
Description: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host.
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo