CVE-2026-7807: SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API

Q: What is the severity of CVE-2026-7807?

CVE-2026-7807 is classified as a high-severity vulnerability due to its potential for unauthorized access to sensitive files.

Q: How do I fix CVE-2026-7807?

To fix CVE-2026-7807, upgrade to SmarterMail version 9560 or later that addresses this local file inclusion vulnerability.

Q: Who is affected by CVE-2026-7807?

CVE-2026-7807 affects any authenticated user on SmarterTools SmarterMail versions prior to 9560.

Q: What type of vulnerability is CVE-2026-7807?

CVE-2026-7807 is a local file inclusion vulnerability that allows users to read arbitrary files on the server.

Q: Can CVE-2026-7807 be exploited remotely?

CVE-2026-7807 is not a remote vulnerability; it requires authenticated access to exploit.

Published May 8, 2026

Updated

SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users.

Affected Software

1 affected component

SmarterTools SmarterMail<9560

Event History

May 8, 2026

CVE Published

via MITRE·07:54 PM

Data Sourced

via MITRE·07:54 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·08:16 PM

DescriptionSeverityWeakness

Oct 13, 58358

Event

via FIRST·11:36 PM

Frequently Asked Questions

What is the severity of CVE-2026-7807?

CVE-2026-7807 is classified as a high-severity vulnerability due to its potential for unauthorized access to sensitive files.

How do I fix CVE-2026-7807?

To fix CVE-2026-7807, upgrade to SmarterMail version 9560 or later that addresses this local file inclusion vulnerability.

Who is affected by CVE-2026-7807?

CVE-2026-7807 affects any authenticated user on SmarterTools SmarterMail versions prior to 9560.

What type of vulnerability is CVE-2026-7807?

CVE-2026-7807 is a local file inclusion vulnerability that allows users to read arbitrary files on the server.

Can CVE-2026-7807 be exploited remotely?

CVE-2026-7807 is not a remote vulnerability; it requires authenticated access to exploit.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.