CVE-2026-41232
Description
Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
froxlor/froxlorPackagist | < 2.3.6 | 2.3.6 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07anvdPatchWEB
- github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6nvdExploitVendor AdvisoryMitigationWEB
- github.com/advisories/GHSA-vmjj-qr7v-pxm6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41232ghsaADVISORY
- github.com/froxlor/froxlor/releases/tag/2.3.6nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.