Description
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.
Published: 2026-06-29
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insecure direct object reference in the account password change API allows a domain administrator to reset any user’s password, bypassing object-level access controls. This flaw enables the administrator to change a superadmin password and acquire full control over the entire system. The weakness is a classic case of privilege escalation, represented by CWE‑639.

Affected Systems

Modoboa versions earlier than 2.9.0 are affected. The vulnerability exists in the account password change endpoint, permitting domain administrators to override intended access controls.

Risk and Exploitability

The vulnerability has a CVSS score of 7.7. No EPSS score is available, and it is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated domain administrator who can invoke the API endpoint. With such privileges, the attacker can reset any user’s password, including that of a superadmin, achieving full account takeover.

Generated by OpenCVE AI on June 29, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Modoboa to version 2.9.0 or later to eliminate the insecure direct object reference.
  • Revoke or limit domain administrator privileges and enforce least privilege principles so that only trusted users can access the password change API.
  • Enable auditing and monitoring of password reset activity to detect and respond to unauthorized changes promptly.

Generated by OpenCVE AI on June 29, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.
Title Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API
First Time appeared Modoboa
Modoboa modoboa
Weaknesses CWE-639
CPEs cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*
Vendors & Products Modoboa
Modoboa modoboa
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-01T14:06:36.307Z

Reserved: 2026-06-23T01:22:22.572Z

Link: CVE-2026-56780

cve-icon Vulnrichment

Updated: 2026-07-01T14:06:24.216Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T23:15:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key