Description
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw in the /api/v1/report/summary/{type} API of SmarterMail builds before 9560. An authenticated user can manipulate the {type} parameter to read arbitrary .json files from the server. Because these files may contain encrypted passwords and two‑factor authentication secrets, an attacker can combine the LFI with weak encryption algorithms and hard‑coded keys to decrypt and acquire credentials for all users.

Affected Systems

SmarterTools Inc.'s SmarterMail application, specifically versions earlier than build 9560. The flaw affects any deployment of SmarterMail that has not been updated to build 9560 or later.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, focusing on confidentiality impacts. The EPSS score is not disclosed, and there is no indication that the vulnerability has been listed in the CISA KEV catalog. The flaw requires authentication; any legitimate user who can reach the API endpoint can abuse it. Because the payload leaks file contents that contain encrypted secrets, an exploiter could potentially decrypt passwords and 2FA secrets, giving them full user‑level or even administrative access, depending on the system configuration.

Generated by OpenCVE AI on May 8, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SmarterMail to build 9560 or later to eliminate the LFI vulnerability.
  • If an upgrade cannot be performed immediately, limit access to the /api/v1/report/summary endpoint to a minimal set of administrators and closely monitor its usage.
  • Re‑configure the application to use robust encryption for stored credentials, and replace any hard‑coded keys that may have been used for encryption.
  • Ensure file system permissions block read access to configuration .json files for non‑administrative users.

Generated by OpenCVE AI on May 8, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Smartertools
Smartertools smartermail
Vendors & Products Smartertools
Smartertools smartermail

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.
Title SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Smartertools Smartermail
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T14:29:07.311Z

Reserved: 2026-05-04T20:56:15.558Z

Link: CVE-2026-7807

cve-icon Vulnrichment

Updated: 2026-05-10T14:29:03.714Z

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:32.200

Modified: 2026-05-08T20:16:32.200

Link: CVE-2026-7807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses