CVE-2026-44400
HIGHMailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin
Title source: cnaDescription
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.
References (2)
Core 2
Core References
Release Notes release-notes
https://www.mailenable.com/Premium-ReleaseNotes.txt
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin
Scores
CVSS v3
8.1
EPSS
0.0035
EPSS Percentile
26.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (2)
mailenable/mailenable
< 10.56
MailEnable/MailEnable Enterprise Premium
< 10.55
Published
May 08, 2026
Tracked Since
May 09, 2026