Description
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
Published: 2026-04-23
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑customer email spoofing through forged sender aliases
Action: Immediate Patch
AI Analysis

Impact

A flaw in Froxlor’s EmailSender::add() splits an email address incorrectly, sending the local part instead of the domain to the ownership validation routine. This causes the ownership check to always succeed for arbitrary domains, enabling any authenticated customer to create sender aliases that claim email addresses belonging to other customers. Postfix then authorizes these aliases through sender_login_maps, allowing forged messages to be sent as other users.

Affected Systems

All installations of Froxlor older than version 2.3.6 that allow authenticated users to add sender aliases and that use Postfix with sender_login_maps enabled.

Risk and Exploitability

The vulnerability has a moderate CVSS score of 5 and an EPSS probability of less than 1 %, and it is not listed in the CISA KEV catalog. Exploitation requires only authentication to the Froxlor web interface; no special privileges are needed. An attacker can craft arbitrary domain aliases, bypassing domain ownership checks and sending spoofed emails. The risk is heightened if the environment trusts Postfix to send outbound mail for all customers without additional access controls.

Generated by OpenCVE AI on April 28, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.6 or later, which corrects the array‑index logic.
  • Remove any sender‑alias entries that were created while the vulnerable version was active, ensuring no forged aliases remain.
  • Verify that Postfix sender_login_maps does not allow cross‑customer aliases; reconfigure the mapping if necessary.

Generated by OpenCVE AI on April 28, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmjj-qr7v-pxm6 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
CPEs cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
Vendors & Products Froxlor
Froxlor froxlor

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
Title Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:50:19.516Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41232

cve-icon Vulnrichment

Updated: 2026-04-23T14:49:44.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T05:16:05.333

Modified: 2026-04-27T17:02:02.877

Link: CVE-2026-41232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses