CVE-2026-40514

MEDIUM

SmarterTools SmarterMail < Build 9610 Cryptographic Weakness via Weak RNG

Title source: cna

Description

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.

References (2)

[Patch] https://www.smartertools.com/smartermail/release-notes/current

[Third Party Advisory] https://www.vulncheck.com/advisories/smartertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng

Scores

CVSS v3 5.9

EPSS 0.0003

EPSS Percentile 6.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-338

Status published

Products (1)

SmarterTools Inc./SmarterMail < 100.0.9610

Published Apr 27, 2026

Tracked Since Apr 27, 2026