CVE-2026-7807 Overview
CVE-2026-7807 is a local file inclusion (LFI) vulnerability in SmarterTools SmarterMail builds prior to 9560. The flaw resides in the /api/v1/report/summary/{type} API endpoint and allows authenticated users to read arbitrary .json files on the server. Attackers can chain this read primitive with weak encryption algorithms and hardcoded keys present in SmarterMail to decrypt stored passwords and two-factor authentication (2FA) secrets for every user on the system. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Authenticated attackers can read arbitrary .json files containing encrypted credentials and 2FA seeds, then decrypt them using known hardcoded keys to achieve full account takeover across all SmarterMail users.
Affected Products
- SmarterTools SmarterMail builds prior to build 9560
- SmarterMail Server /api/v1/report/summary/{type} API endpoint
- All SmarterMail user accounts whose credentials and 2FA secrets are stored in .json configuration files
Discovery Timeline
- 2026-05-08 - CVE-2026-7807 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7807
Vulnerability Analysis
The vulnerability stems from insufficient path validation on the {type} path parameter accepted by the /api/v1/report/summary/{type} API endpoint. SmarterMail uses this value to construct a file path for a JSON report, but it does not constrain the resolved path to an expected report directory. Authenticated users can therefore inject traversal sequences and read any .json file accessible to the SmarterMail service account.
The impact is amplified by SmarterMail's credential storage design. Sensitive material — including user passwords and 2FA shared secrets — is persisted in .json files protected with weak symmetric encryption and hardcoded keys. Once an attacker retrieves these files through the LFI primitive, the static keys allow offline decryption of every record. This converts a low-privilege authenticated read into full credential disclosure for the entire mail server.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The {type} route parameter is concatenated into a file path without canonicalization or allow-list validation. A secondary design flaw — hardcoded cryptographic keys combined with weak algorithms — turns the file read into a credential exposure rather than a contained information leak.
Attack Vector
Exploitation requires network access to the SmarterMail API and a valid authenticated session, which can be any standard user account. The attacker issues a request to /api/v1/report/summary/{type} with a traversal payload in {type} that resolves to a sensitive .json file, such as the user store or 2FA secret file. After retrieving the file, the attacker decrypts the contents offline using the known hardcoded key to recover plaintext passwords and 2FA seeds. The recovered credentials can then be reused to authenticate as administrative users and pivot further into the mail environment.
No verified public proof-of-concept code is referenced in the advisory. See the VulnCheck Advisory on Local File Inclusion for technical details.
Detection Methods for CVE-2026-7807
Indicators of Compromise
- Requests to /api/v1/report/summary/ containing path traversal sequences such as ..%2f, ../, or absolute paths in the {type} parameter
- Unexpected HTTP 200 responses from the report summary endpoint returning content that does not match a legitimate report schema
- Access to the report summary endpoint by low-privilege accounts that have no operational need to view reports
- Successful logins from new IP addresses for multiple users in a short window, indicating credential reuse after decryption
Detection Strategies
- Inspect IIS or reverse proxy logs for requests to /api/v1/report/summary/{type} and decode the {type} value to identify traversal patterns and non-standard report types
- Correlate report summary API calls with the authenticated user's role; non-administrative accounts accessing this endpoint warrant investigation
- Alert on spikes in 2FA resets, password changes, or session creations following anomalous API activity against the SmarterMail host
Monitoring Recommendations
- Enable verbose API request logging on the SmarterMail server and forward logs to a centralized SIEM for retention and analysis
- Monitor file system access on the directory housing user .json stores for reads originating from the SmarterMail web process outside normal report generation paths
- Track outbound data volumes from the SmarterMail host to detect bulk exfiltration of .json configuration data
How to Mitigate CVE-2026-7807
Immediate Actions Required
- Upgrade SmarterTools SmarterMail to build 9560 or later, which addresses the path traversal in the report summary endpoint
- Force a password reset for all SmarterMail accounts and re-enroll 2FA, since stored secrets must be assumed compromised on unpatched systems
- Review API access logs for prior exploitation of /api/v1/report/summary/{type} and investigate any anomalous reads
- Restrict SmarterMail API exposure to trusted networks where feasible until patching is complete
Patch Information
SmarterTools resolved the vulnerability in SmarterMail build 9560. Administrators should consult the SmarterTools SmarterMail Release Notes for upgrade instructions and verify the installed build after deployment. Additional context is available in the VulnCheck Advisory on Local File Inclusion.
Workarounds
- Place SmarterMail behind a web application firewall (WAF) and block requests to /api/v1/report/summary/ containing traversal sequences or non-allow-listed {type} values
- Limit authenticated API access to administrative source IP ranges via firewall or reverse proxy rules until the upgrade is applied
- Audit and reduce the number of low-privilege accounts on the mail server to shrink the pool of identities that can reach the vulnerable endpoint
# Example reverse proxy rule (nginx) to block traversal on the affected endpoint
location ~* ^/api/v1/report/summary/ {
if ($request_uri ~* "(\.\./|\.\.%2f|%2e%2e/|%2e%2e%2f)") {
return 403;
}
proxy_pass http://smartermail_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
