Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3794

CVE-2026-3794: DoraCMS Authentication Bypass Vulnerability

CVE-2026-3794 is an authentication bypass flaw in DoraCMS 3.0.x affecting the Email API endpoint. Attackers can exploit this remotely to bypass authentication controls. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-3794 Overview

An improper authentication vulnerability has been identified in doramart DoraCMS 3.0.x affecting the Email API component. The vulnerability exists in the /api/v1/mail/send endpoint, where insufficient authentication controls allow unauthorized access. This flaw enables remote attackers to bypass authentication mechanisms and interact with the mail sending functionality without proper credentials.

Critical Impact

Attackers can remotely exploit the Email API to send unauthorized emails, potentially enabling phishing campaigns, spam distribution, or further attacks against the organization's email reputation and infrastructure.

Affected Products

  • DoraCMS 3.0.x (html-js doracms)

Discovery Timeline

  • 2026-03-09 - CVE-2026-3794 published to NVD
  • 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2026-3794

Vulnerability Analysis

This vulnerability is classified as CWE-287 (Improper Authentication), indicating that the affected component fails to properly verify the identity of users attempting to access the Email API endpoint. The /api/v1/mail/send endpoint lacks adequate authentication validation, allowing unauthenticated requests to be processed by the server.

The network-accessible nature of this vulnerability means attackers can exploit it remotely without requiring any prior authentication or user interaction. The exploit has been publicly disclosed and documented in VulDB, increasing the urgency for organizations using DoraCMS to assess their exposure.

Root Cause

The root cause stems from missing or improperly implemented authentication checks on the /api/v1/mail/send API endpoint. The Email API component does not adequately verify that incoming requests originate from authenticated and authorized users before processing mail send operations. This represents a fundamental failure in the application's access control design for this specific endpoint.

Attack Vector

The attack vector is network-based, requiring no authentication, privileges, or user interaction. An attacker can craft HTTP requests directly to the /api/v1/mail/send endpoint to exploit this vulnerability. The exploitation methodology involves:

  1. Identifying a DoraCMS 3.0.x instance with the vulnerable Email API exposed
  2. Sending unauthenticated HTTP requests to the /api/v1/mail/send endpoint
  3. Bypassing authentication controls to access mail sending functionality
  4. Leveraging the compromised endpoint to send unauthorized emails or gather information

The vendor was contacted regarding this disclosure but did not respond, leaving no official patch or acknowledgment available at this time. Technical details and proof-of-concept information are available through VulDB Submission #768239.

Detection Methods for CVE-2026-3794

Indicators of Compromise

  • Unusual or unauthorized HTTP requests to /api/v1/mail/send from external or unknown IP addresses
  • Spike in outbound email traffic originating from the DoraCMS server
  • Log entries showing successful mail send operations without corresponding authenticated sessions
  • Email bounce-backs or delivery failures from recipients reporting spam originating from the CMS server

Detection Strategies

  • Implement web application firewall (WAF) rules to monitor and log all requests to the /api/v1/mail/send endpoint
  • Review application logs for API calls to the Email endpoint that lack valid session tokens or authentication headers
  • Deploy network monitoring to detect anomalous traffic patterns to the DoraCMS Email API

Monitoring Recommendations

  • Enable detailed access logging for all API endpoints, particularly /api/v1/mail/send
  • Configure SIEM alerts for unauthenticated access attempts to sensitive API endpoints
  • Monitor email server logs for correlation with DoraCMS API activity to identify abuse patterns

How to Mitigate CVE-2026-3794

Immediate Actions Required

  • Disable or restrict access to the /api/v1/mail/send endpoint until a patch is available
  • Implement network-level access controls to limit API endpoint access to trusted IP addresses only
  • Review and audit all recent Email API activity for signs of exploitation
  • Consider placing the DoraCMS instance behind a reverse proxy with authentication enforcement

Patch Information

No official patch has been released by the vendor as of 2026-03-10. The vendor was contacted regarding this disclosure but did not respond. Organizations should monitor official DoraCMS repositories and the VulDB entry for updates on remediation options.

Workarounds

  • Implement authentication middleware or reverse proxy authentication in front of the Email API endpoint
  • Use firewall rules to block external access to /api/v1/mail/send
  • Disable the Email API functionality entirely if not required for business operations
  • Consider migrating to an alternative CMS solution with active security support
bash
# Example: Block access to vulnerable endpoint using nginx
location /api/v1/mail/send {
    # Deny all external access
    deny all;
    # Or restrict to internal network only
    # allow 10.0.0.0/8;
    # deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne