Description
sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.
Published: 2026-04-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

sagredo qmail versions prior to 2026.04.07 contain an OS command injection flaw in the notlshosts_auto function of qmail-remote.c. The vulnerable popen call is executed when processing the tls_quit command, enabling an attacker to supply arbitrary shell commands. Exploitation results in remote code execution with the privileges of the qmail process, potentially leading to full system compromise. The weakness corresponds to CWE‑78.

Affected Systems

The affected product is sagredo qmail, any release before the 2026.04.07 update. Those running older versions should verify their installed version and apply the v2026.04.07 release, which removes the insecure popen invocation.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog; however the exploitation path is straightforward: a remote client who can establish a TLS connection to the qmail instance can issue the tls_quit command and trigger the vulnerable popen call. The attack requires only network access to the qmail service and does not require privileged local access.

Generated by OpenCVE AI on April 17, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sagredo qmail to release v2026.04.07 or later, which removes the popen call in notlshosts_auto.
  • If upgrading immediately is not possible, temporarily disable the tls_quit functionality by editing the qmail configuration or removing the flag that enables it, thereby preventing the vulnerable code from executing.
  • Restrict network exposure of the qmail service using firewall rules or intrusion detection so that only trusted hosts can connect, reducing the opportunity for exploitation while awaiting a patch.

Generated by OpenCVE AI on April 17, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
References

Fri, 17 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sagredo
Sagredo qmail
Vendors & Products Sagredo
Sagredo qmail

Fri, 17 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title TLS_QUIT Command Injection in sagredo qmail

Thu, 16 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sagredo Qmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-18T20:09:47.901Z

Reserved: 2026-04-16T22:02:09.837Z

Link: CVE-2026-41113

cve-icon Vulnrichment

Updated: 2026-04-18T20:09:47.901Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T22:16:39.103

Modified: 2026-04-18T21:16:09.427

Link: CVE-2026-41113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:25Z

Weaknesses