Cryptographic Weakness in SmarterMail by SmarterTools
CVE-2026-40514

8.2HIGH

Key Information:

Vendor: Smartertools Inc.
Status: Smartermail
Vendor: CVE Published:; 27 April 2026

🔔 Create Smartertools Inc. Vulnerability Alert

What is CVE-2026-40514?

SmarterMail versions earlier than 9610 exhibit a significant cryptographic vulnerability within their file and email sharing endpoints. The issue stems from the use of DES-CBC encryption, which relies on keys and initialization vectors generated from a poorly seeded System.Random. This insufficient entropy dramatically narrows the seed space to around 19,000 values. An unauthenticated attacker can exploit this flaw through the attachment download endpoint, effectively using it as an oracle to determine the active seed. This enables the attacker to derive encryption keys and initialization vectors, potentially forging sharing tokens that grant unauthorized access to emails, attachments, or file content without needing prior access.

Affected Version(s)

SmarterMail 0 < 100.0.9610

References

https://www.smartertools.com/smartermail/release-notes/cu...

release-notespatch

https://www.vulncheck.com/advisories/smartertools-smarter...

third-party-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Maximilian Wiegand of CODE WHITE GmbH

CVE-2026-40514 Data

JSON