GHSA-WWV8-CQPR-VX3M
Vulnerability from github – Published: 2026-03-25 17:03 – Updated: 2026-03-25 17:03
VLAI?
Summary
Modoboa has OS Command Injection
Details
Summary
exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.
Details
The root cause is in modoboa/lib/sysutils.py:31:
kwargs["shell"] = True
process = subprocess.Popen(cmd, **kwargs)
When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:
exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")
If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.
The same pattern appears in several other places:
modoboa/admin/jobs.py:38— mailbox rename viamvusingfull_addressmodoboa/amavis/lib.py:202—sa-learnusingdomain.namemodoboa/admin/models/mailbox.py:150—doveadm userusingfull_addressmodoboa/maillog/graphics.py:105–107—rrdtoolusingdomain.namemodoboa/webmail/models.py:54–57—doveadm move/deleteusingaccount.email
PoC
- Deploy modoboa <= 2.7.0
- Log in as a Reseller or SuperAdmin
- Create a new domain named
$(id>/tmp/proof).example.comwith DKIM enabled - SSH into the server and read
/tmp/proof
Something like this will be displayed:
uid=0(root) gid=0(root) groups=0(root)
Confirmed on commit b521bcb4f (latest main at time of discovery).
Impact
An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server — in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.
Severity ?
7.2 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.0"
},
"package": {
"ecosystem": "PyPI",
"name": "modoboa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27602"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T17:03:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.\n\n### Details\n\nThe root cause is in `modoboa/lib/sysutils.py:31`:\n\n```python\nkwargs[\"shell\"] = True\nprocess = subprocess.Popen(cmd, **kwargs)\n```\n\nWhen a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:\n\n```python\nexec_cmd(f\"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}\")\n```\n\nIf the domain name contains something like `$(id\u003e/tmp/proof).example.com`, the shell executes the injected command before running openssl.\n\nThe same pattern appears in several other places:\n\n- `modoboa/admin/jobs.py:38` \u2014 mailbox rename via `mv` using `full_address`\n- `modoboa/amavis/lib.py:202` \u2014 `sa-learn` using `domain.name`\n- `modoboa/admin/models/mailbox.py:150` \u2014 `doveadm user` using `full_address`\n- `modoboa/maillog/graphics.py:105\u2013107` \u2014 `rrdtool` using `domain.name`\n- `modoboa/webmail/models.py:54\u201357` \u2014 `doveadm move/delete` using `account.email`\n\n### PoC\n\n1. Deploy modoboa \u003c= 2.7.0\n2. Log in as a Reseller or SuperAdmin\n3. Create a new domain named `$(id\u003e/tmp/proof).example.com` with DKIM enabled\n4. SSH into the server and read `/tmp/proof`\n\nSomething like this will be displayed:\n\n```\nuid=0(root) gid=0(root) groups=0(root)\n```\n\nConfirmed on commit b521bcb4f (latest main at time of discovery).\n\n### Impact\n\nAn attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server \u2014 in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.",
"id": "GHSA-wwv8-cqpr-vx3m",
"modified": "2026-03-25T17:03:37Z",
"published": "2026-03-25T17:03:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa"
},
{
"type": "PACKAGE",
"url": "https://github.com/modoboa/modoboa"
},
{
"type": "WEB",
"url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Modoboa has OS Command Injection"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…