{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/enterprise-premium--10.55/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-44400"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Enterprise Premium (\u003c= 10.55)"],"_cs_severities":["high"],"_cs_tags":["cve","authentication-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["MailEnable"],"content_html":"\u003cp\u003eMailEnable Enterprise Premium, versions 10.55 and earlier, contains an improper authorization vulnerability in its WebAdmin mobile portal. This flaw, identified as CVE-2026-44400, allows attackers to bypass authentication by exploiting the way AuthenticationToken cookies are handled. By obtaining a valid token from the WebMail login endpoint, even with low-privileged credentials, an attacker can replay this token against the WebAdmin portal, effectively escalating their privileges. This can lead to unauthorized access to sensitive administrative functions. Defenders should prioritize patching to the latest version or implementing mitigations to prevent unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a MailEnable Enterprise Premium server running a vulnerable version (\u0026lt;= 10.55).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a low-privileged user account on the MailEnable server.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WebMail interface using the low-privileged account and the \u003ccode\u003ePersistentLogin\u003c/code\u003e parameter. This generates a valid AuthenticationToken cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the AuthenticationToken cookie from the WebMail session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the WebAdmin portal.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the stolen AuthenticationToken cookie into the crafted HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the modified request to the WebAdmin portal, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully performs administrative actions on the MailEnable server due to the elevated privileges gained through the authorization bypass.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44400 allows an unauthenticated attacker to perform arbitrary administrative actions on the affected MailEnable server. This could lead to complete compromise of the email server, including access to all email accounts, sensitive data, and system configurations. The vulnerability poses a significant risk to organizations relying on MailEnable for email services, potentially leading to data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade MailEnable Enterprise Premium to a version higher than 10.55 to patch CVE-2026-44400.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the WebAdmin portal containing manipulated AuthenticationToken cookies. Use the Sigma rule \u003ccode\u003eDetect MailEnable WebAdmin Authentication Bypass Attempt\u003c/code\u003e for this purpose.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the WebAdmin portal from untrusted networks.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication for all MailEnable accounts to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MailEnable WebMail PersistentLogin Use\u003c/code\u003e to identify suspicious usage of the \u003ccode\u003ePersistentLogin\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T21:16:28Z","date_published":"2026-05-08T21:16:28Z","id":"/briefs/2026-05-mailenable-auth-bypass/","summary":"MailEnable Enterprise Premium 10.55 and earlier is vulnerable to CVE-2026-44400, an improper authorization vulnerability that allows attackers to bypass authentication checks and perform administrative actions by reusing AuthenticationToken cookies.","title":"MailEnable Enterprise Premium Authentication Bypass Vulnerability (CVE-2026-44400)","url":"https://feed.craftedsignal.io/briefs/2026-05-mailenable-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Enterprise Premium (\u003c= 10.55)","version":"https://jsonfeed.org/version/1.1"}