CVE-2026-41232: Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing

April 16, 2026 (updated April 24, 2026)

In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent “domains,” allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix’s sender_login_maps then authorizes the attacker to send emails as those addresses.

References

github.com/advisories/GHSA-vmjj-qr7v-pxm6
github.com/froxlor/froxlor
github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
github.com/froxlor/froxlor/releases/tag/2.3.6
github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
nvd.nist.gov/vuln/detail/CVE-2026-41232

Code Behaviors & Features

Detect and mitigate CVE-2026-41232 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →