MailEnable WebAdmin Vulnerability Bypasses Authentication (CVE-2026-44400)

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
MailEnable WebAdmin Vulnerability Bypasses Authentication (CVE-2026-44400)

The National Vulnerability Database highlights CVE-2026-44400, an improper authorization flaw in MailEnable Enterprise Premium 10.55 and earlier. This vulnerability resides in the WebAdmin mobile portal, allowing attackers to bypass authentication. The attack vector involves reusing AuthenticationToken cookies, initially generated for low-privileged users, against the WebAdmin portal.

Attackers can obtain a persistent token from the WebMail login endpoint and then replay it against the WebAdmin portal. This enables the execution of highly privileged administrative actions, effectively granting full control over the MailEnable server. The National Vulnerability Database assigns this a CVSS score of 8.1 (HIGH), underscoring the severity of this authentication bypass.

This isn’t just a theoretical bypass; it’s a critical flaw that grants an attacker administrative access with minimal effort. The attacker’s calculus here is straightforward: compromise a low-privilege WebMail session, grab a cookie, and pivot directly to WebAdmin. Defenders need to recognize that this is a direct path to full system compromise, not just a minor privilege escalation.

What This Means For You

  • If your organization uses MailEnable Enterprise Premium 10.55 or earlier, you are directly exposed to CVE-2026-44400. This vulnerability allows an attacker to gain full administrative control over your MailEnable server. Immediately identify all MailEnable instances and apply any available patches or workarounds to mitigate this critical authentication bypass.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevated Credentials Persistence T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44400 - MailEnable WebAdmin Authentication Bypass via PersistentLogin Token Replay

Sigma YAML — free preview 
title: CVE-2026-44400 - MailEnable WebAdmin Authentication Bypass via PersistentLogin Token Replay
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
  Detects the initial exploitation attempt of CVE-2026-44400. This rule looks for POST requests to the '/webadmin' URI that include the 'PersistentLogin=true' parameter in the query string, indicating an attempt to generate a token. A successful 200 status code suggests the token was generated, which can then be replayed to bypass authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44400/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/webadmin'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'PersistentLogin=true'
  selection_base:
      sc-status|exact:
          - '200'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44400 Auth Bypass MailEnable Enterprise Premium 10.55 and earlier
CVE-2026-44400 Auth Bypass Improper authorization in WebAdmin mobile portal
CVE-2026-44400 Auth Bypass Reusing AuthenticationToken cookies
CVE-2026-44400 Auth Bypass WebMail login endpoint with PersistentLogin parameter

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma