CVE-2026-40514 HIGH

CVE-2026-40514: SmarterTools SmarterMail < Build 9610 Cryptographic Weakness via Weak RNG

Vendor Smartertools Inc.
Product SmarterMail
Weakness CWE-338
Published April 27, 2026
Last update April 27, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.

Key dates

02Disclosure timeline

April 27, 2026 CVE published
April 27, 2026 Record updated