MailEnable — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/mailenable/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 21:16:28 +0000MailEnable Enterprise Premium Authentication Bypass Vulnerability (CVE-2026-44400)https://feed.craftedsignal.io/briefs/2026-05-mailenable-auth-bypass/Fri, 08 May 2026 21:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-mailenable-auth-bypass/MailEnable Enterprise Premium 10.55 and earlier is vulnerable to CVE-2026-44400, an improper authorization vulnerability that allows attackers to bypass authentication checks and perform administrative actions by reusing AuthenticationToken cookies.MailEnable Enterprise Premium, versions 10.55 and earlier, contains an improper authorization vulnerability in its WebAdmin mobile portal. This flaw, identified as CVE-2026-44400, allows attackers to bypass authentication by exploiting the way AuthenticationToken cookies are handled. By obtaining a valid token from the WebMail login endpoint, even with low-privileged credentials, an attacker can replay this token against the WebAdmin portal, effectively escalating their privileges. This can lead to unauthorized access to sensitive administrative functions. Defenders should prioritize patching to the latest version or implementing mitigations to prevent unauthorized access.

Attack Chain

  1. An attacker identifies a MailEnable Enterprise Premium server running a vulnerable version (<= 10.55).
  2. The attacker creates a low-privileged user account on the MailEnable server.
  3. The attacker logs into the WebMail interface using the low-privileged account and the PersistentLogin parameter. This generates a valid AuthenticationToken cookie.
  4. The attacker intercepts the AuthenticationToken cookie from the WebMail session.
  5. The attacker crafts a malicious HTTP request targeting the WebAdmin portal.
  6. The attacker injects the stolen AuthenticationToken cookie into the crafted HTTP request.
  7. The attacker sends the modified request to the WebAdmin portal, bypassing authentication checks.
  8. The attacker successfully performs administrative actions on the MailEnable server due to the elevated privileges gained through the authorization bypass.

Impact

Successful exploitation of CVE-2026-44400 allows an unauthenticated attacker to perform arbitrary administrative actions on the affected MailEnable server. This could lead to complete compromise of the email server, including access to all email accounts, sensitive data, and system configurations. The vulnerability poses a significant risk to organizations relying on MailEnable for email services, potentially leading to data breaches, service disruption, and reputational damage.

Recommendation

  • Upgrade MailEnable Enterprise Premium to a version higher than 10.55 to patch CVE-2026-44400.
  • Monitor web server logs for suspicious requests to the WebAdmin portal containing manipulated AuthenticationToken cookies. Use the Sigma rule Detect MailEnable WebAdmin Authentication Bypass Attempt for this purpose.
  • Implement network segmentation to restrict access to the WebAdmin portal from untrusted networks.
  • Enforce strong password policies and multi-factor authentication for all MailEnable accounts to mitigate the risk of credential theft.
  • Deploy the Sigma rule Detect MailEnable WebMail PersistentLogin Use to identify suspicious usage of the PersistentLogin parameter.
]]>highadvisorycveauthentication-bypassprivilege-escalation