Insecure Direct Object Reference in Modoboa Email Server
CVE-2026-56780

7.7HIGH

Key Information:

Vendor

Modoboa

Status
Modoboa
Vendor
CVE Published:
29 June 2026

What is CVE-2026-56780?

An insecure direct object reference vulnerability has been identified in Modoboa versions prior to 2.9.0, specifically in the PUT /api/v1/accounts/{pk}/password/ endpoint. This flaw permits domain administrators to manipulate user passwords freely, which may lead to unauthorized access. Attackers with administrative privileges can bypass critical access controls, allowing them to reset passwords for superadmin accounts and potentially seize full control over affected accounts. It is crucial for users to update to the latest version to mitigate these risks.

Affected Version(s)

modoboa 0 < 2.9.0

modoboa 2.9.0

References

https://github.com/modoboa/modoboa/pull/4038
issue-tracking
https://github.com/modoboa/modoboa/commit/a1878c4920a6e47...
patch
https://www.vulncheck.com/advisories/modoboa-insecure-dir...
third-party-advisory

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.