Email Spoofing Vulnerability in Froxlor Open Source Server Administration Software
CVE-2026-41232

5MEDIUM

Key Information:

Vendor

Froxlor

Status
Froxlor
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41232?

Froxlor is an open-source server administration software that contains a vulnerability in its email alias functionality. Specifically, prior to version 2.3.6, the method EmailSender::add() incorrectly validates domain ownership by using the local part of the email address instead of the domain itself. This flaw allows authenticated users to easily add sender aliases for email addresses associated with domains not owned by them. As a result, this vulnerability enables potential attackers to send emails while impersonating others, leveraging Postfix's sender_login_maps mechanism. The issue has been addressed in version 2.3.6, which should be implemented to mitigate these risks.

Affected Version(s)

froxlor < 2.3.6

References

https://github.com/froxlor/froxlor/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/froxlor/froxlor/commit/77d04badf549d5f...
x_refsource_MISC
https://github.com/froxlor/froxlor/releases/tag/2.3.6
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.