GHSA-c3qp-4qxm-fwhr
Modoboa versions before 2.9.0 contain an insecure direct object reference vulnerability in the password reset API endpoint. This flaw allows domain administrators to bypass object-level access controls and change any user's password, including superadmin accounts, potentially leading to full account takeover.
AI Analysis
Technical Summary
The vulnerability in Modoboa prior to version 2.9.0 exists in the PUT /api/v1/accounts/{pk}/password/ endpoint. It allows attackers with domain administrator privileges to circumvent object-level access controls and reset passwords of arbitrary users, including superadmins. This insecure direct object reference (CWE-639) can lead to full account compromise by escalating privileges through password resets. No patch or official fix information is provided in the available data.
Potential Impact
Attackers who have domain administrator privileges can exploit this vulnerability to reset the passwords of any user, including superadmins. This can result in full account takeover, compromising the integrity and security of the affected Modoboa installation. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict domain administrator privileges to trusted personnel only and monitor for suspicious password reset activity. Avoid exposing the vulnerable API endpoint to untrusted networks.
GHSA-c3qp-4qxm-fwhr
Description
Modoboa versions before 2.9.0 contain an insecure direct object reference vulnerability in the password reset API endpoint. This flaw allows domain administrators to bypass object-level access controls and change any user's password, including superadmin accounts, potentially leading to full account takeover.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Modoboa prior to version 2.9.0 exists in the PUT /api/v1/accounts/{pk}/password/ endpoint. It allows attackers with domain administrator privileges to circumvent object-level access controls and reset passwords of arbitrary users, including superadmins. This insecure direct object reference (CWE-639) can lead to full account compromise by escalating privileges through password resets. No patch or official fix information is provided in the available data.
Potential Impact
Attackers who have domain administrator privileges can exploit this vulnerability to reset the passwords of any user, including superadmins. This can result in full account takeover, compromising the integrity and security of the affected Modoboa installation. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict domain administrator privileges to trusted personnel only and monitor for suspicious password reset activity. Avoid exposing the vulnerable API endpoint to untrusted networks.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-c3qp-4qxm-fwhr
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-56780"]
- Ecosystems
- []
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a42ed1c27e9c797199332c5
Added to database: 06/29/2026, 22:09:32 UTC
Last enriched: 06/29/2026, 22:13:59 UTC
Last updated: 06/30/2026, 01:31:26 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.