CVE-2026-56780
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Modoboa before version 2.9.0 has an insecure direct object reference (IDOR) vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint. Domain administrators can change any user's password, including superadmins, leading to full account takeover.
Risk Assessment
The risk for the organization includes privilege escalation by domain administrators who can take over superadmin accounts and gain unauthorized access to the entire Modoboa system, potentially compromising data confidentiality and integrity.
Recommendation
Immediately upgrade Modoboa to version 2.9.0 or later, which includes a fix for the IDOR vulnerability. Additionally, review domain administrator permissions and implement object-level access controls.
Original NVD description (English source)
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.

