Authentication Bypass and Password-Reset Flaws Enable Account Takeover in SmarterMail and Appsmith
watchTowr Labs disclosed WT-2026-0001, an authentication bypass in SmarterTools SmarterMail that allows a user to reset the system administrator password via a password-reset mechanism and then leverage SmarterMail’s built-in “RCE-as-a-feature” capabilities to execute OS commands. The researcher reported the issue and stated it was patched quickly, citing a fixed release on SmarterMail release 9511 (2026-01-15); the publication was accelerated after a tip that attackers were actively exploiting the flaw to reset admin passwords, with forum-shared logs reportedly showing suspicious activity tied to the force-reset-password endpoint.
Resecurity reported exploitation of CVE-2026-22794 in Appsmith, a critical authentication weakness in the password reset flow where the application trusts a client-controlled Origin header to build reset links. An attacker can initiate a reset for a victim while supplying a malicious Origin so the victim’s email contains a link to attacker infrastructure; when clicked, the reset token is exposed, enabling password change and full account takeover. Resecurity identified the affected endpoint as /api/v1/users/forgotPassword, stated Appsmith ≤ 1.92 is affected, and that the issue is fixed in Appsmith ≥ 1.93.
Timeline
Jan 21, 2026
Appsmith 1.93 identified as fix for CVE-2026-22794
The Resecurity report states that Appsmith versions up to and including 1.92 are affected, while version 1.93 and later contain the fix. Users were advised to upgrade and enforce a trusted base URL to prevent malicious reset-link generation.
Jan 21, 2026
Resecurity reports active exploitation and publishes Appsmith PoC
Resecurity said CVE-2026-22794 was being actively exploited and published proof-of-concept steps plus a Nuclei template showing token theft through the /api/v1/users/forgotPassword endpoint. The report also noted internet-exposed Appsmith instances and recommended upgrading and hardening reverse proxies or WAFs.
Jan 21, 2026
Appsmith flaw enables account takeover via Origin header manipulation
Resecurity disclosed CVE-2026-22794, a critical flaw in Appsmith's password reset and email verification flow that trusts the client-controlled HTTP Origin header when generating links. An attacker can cause a legitimate reset email to send victims to an attacker-controlled domain, capture the reset token, and take over the account.
Jan 21, 2026
Anonymous tip alerts researchers to likely SmarterMail exploitation
By January 21, watchTowr said it had received an anonymous tip pointing to exploitation activity against the SmarterMail vulnerability. The report connected this tip with earlier forum evidence to support concerns of real-world abuse.
Jan 15, 2026
Forum post suggests in-the-wild exploitation of SmarterMail flaw
A SmarterMail forum thread cited by watchTowr indicated possible active exploitation, including log evidence referencing the /api/v1/auth/force-reset-password endpoint shortly after the patch became available. This suggested attackers may have been exploiting or probing vulnerable systems rapidly after patch release.
Jan 15, 2026
SmarterTools releases SmarterMail 9511 to fix admin reset flaw
SmarterTools released SmarterMail version 9511, which added validation checks to the sysadmin password reset path and blocked the exploit path with an "Invalid input parameters" response. This version is identified as the vendor patch for WT-2026-0001.
Jan 8, 2026
watchTowr discovers and reports SmarterMail auth bypass to vendor
watchTowr identified WT-2026-0001 in SmarterTools SmarterMail, an authentication bypass that lets an unauthenticated attacker reset the system administrator password via /api/v1/auth/force-reset-password. The researchers reported the issue to the vendor on the same day.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
SmarterMail WT-2026-0001 Authentication Bypass Enables Admin Takeover and RCE
SmarterTools *SmarterMail* patched a critical authentication bypass tracked as **WT-2026-0001** after researchers reported that attackers can reset the **system administrator** password without authentication by abusing the `/api/v1/auth/force-reset-password` endpoint. The flaw stems from logic in `SmarterMail.Web.Api.AuthenticationController.ForceResetPassword` that permits anonymous access and trusts a user-supplied boolean (`IsSysAdmin`); when set to `true`, the code path updates an admin account’s password without validating the old password or enforcing authorization checks. Both reporting indicate the issue is **actively exploited in the wild**, with observed exploitation occurring **within days of the vendor patch** (including reports of activity as soon as two days after release). Once an attacker resets the admin password, they can take over the mail server and leverage built-in administrative capabilities to execute OS commands, effectively achieving **remote code execution (RCE)** and full compromise of affected SmarterMail deployments; the patch was released as **Build 9511** following responsible disclosure by watchTowr Labs researchers **Piotr Bazydlo** and **Sina Kheirkhah**.
1 months ago
Active Exploitation of SmarterMail Authentication Bypass Leading to Admin Takeover and RCE
Internet-wide scanning identified **6,000+ SmarterTools SmarterMail** servers exposed online and likely vulnerable to **CVE-2026-23760**, a **critical authentication bypass** in the password reset API that enables **unauthenticated admin account takeover** and can lead to **remote code execution**. The flaw affects SmarterMail versions prior to **build 9511** and abuses the `/api/v1/auth/force-reset-password` (aka `force-reset-password`) endpoint, which allows anonymous password resets for administrator accounts without validating the existing password or requiring a reset token. SmarterTools issued a fix on **January 15, 2026** (later assigned CVE-2026-23760), and Shadowserver reported large-scale exposure with thousands of instances flagged as “likely vulnerable,” including heavy concentration in North America and additional exposure in Asia. Multiple sources reported **active exploitation** shortly after patch availability, with observed attacker behavior consistent with automated hijacking: resetting admin credentials, obtaining authenticated access, and then leveraging SmarterMail administrative capabilities to execute OS-level commands. Huntress reported attackers creating malicious **System Events** to run reconnaissance commands and establish persistence, while watchTowr (which reported the issue to SmarterTools) received additional reports of exploitation in production environments. The reporting also notes this disclosure follows closely after another critical pre-auth SmarterMail issue (**CVE-2025-52691**), reinforcing that unpatched, internet-exposed SmarterMail deployments are being actively targeted.
1 months ago
SmarterTools Breach via Unpatched SmarterMail Server Leading to Warlock Ransomware Attempt
**SmarterTools** confirmed it was breached after attackers exploited an unpatched instance of its *SmarterMail* email server inside the company’s environment. COO Derek Curtis said the intrusion occurred on **January 29, 2026**, when an employee-created VM running SmarterMail was not being updated; attackers used it as an entry point, then moved laterally across roughly **30 SmarterMail servers/VMs** spanning the office network and a datacenter used for quality-control labs. The incident disrupted the company’s **Portal** support center, but SmarterTools said segmentation limited broader impact and that security tooling blocked the ransomware encryption attempt. Reporting attributes the activity to the **Warlock ransomware** operation (also linked in some tracking to **Gold Salem**). SmarterTools did not publicly name the exploited flaw, but coverage points to **CVE-2026-24423**—a *SmarterMail* **authentication bypass** that can enable **admin password resets**—as the most likely initial vector; it was disclosed by **watchTowr Labs**, patched on **January 15**, and later added to **CISA KEV** with an “**Exploited in ransomware attacks**” designation. SmarterTools stated that only a subset of **Windows** systems appeared impacted (with **Linux** servers unaffected), and that business applications/account data were not compromised; post-incident actions included removing Windows from networks, discontinuing **Active Directory**, restoring some systems from recent backups, and rotating passwords.
1 months ago