CVE-2026-44400 HIGH

CVE-2026-44400: MailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin

Vendor Mailenable
Product MailEnable Enterprise Premium
Weakness CWE-639 · IDOR
Published May 8, 2026
Last update May 25, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 25, 2026 Record updated