CVE-2026-44400— MailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44400
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin
Source: NVD (National Vulnerability Database)
Vulnerability Description
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
MailEnable Enterprise Premium 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MailEnable Enterprise Premium是澳大利亚MailEnable公司的一套POP3和SMTP邮件服务器。 MailEnable Enterprise Premium 10.55及之前版本存在安全漏洞,该漏洞源于WebAdmin移动门户中的授权不当,可能导致攻击者重用低权限用户的AuthenticationToken cookie绕过身份验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MailEnable | MailEnable Enterprise Premium | 0 ~ 10.55 | - |
II. Public POCs for CVE-2026-44400
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44400
请登录查看更多情报信息。
- https://www.mailenable.com/Premium-ReleaseNotes.txtrelease-notes
- https://nvd.nist.gov/vuln/detail/CVE-2026-44400
IV. Related Vulnerabilities
Same vendor: MailEnable
- CVE-2026-32852
MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate - CVE-2026-32851
MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate - CVE-2026-32850
MailEnable < 10.55 Reflected XSS via ManageShares.aspx Selec - CVE-2025-34427
MailEnable < 10.54 Cleartext Credential Storage in AUTH.TAB - CVE-2025-34428
MailEnable < 10.54 Cleartext Credential Storage in AUTH.SAV
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated - CVE-2026-42276
Onyx: IDOR in /chat/stop-chat-session allows any authenticat
V. Comments for CVE-2026-44400
No comments yet