Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Froxlor | Froxlor | < 2.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e0Patch
- https://github.com/froxlor/froxlor/releases/tag/2.3.6Release Notes
- https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6ExploitVendor AdvisoryMitigation
- https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-41232?
CVE-2026-41232 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when sp...
How severe is CVE-2026-41232?
CVE-2026-41232 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41232?
Check the references section above for vendor advisories and patch information. Affected products include: Froxlor Froxlor.