CVE-2026-41113 sagredo CVE debrief

Who should care

Organizations operating sagredo qmail installations as mail transfer agents, particularly those exposed to untrusted networks. Security teams responsible for mail infrastructure and vulnerability management programs should prioritize patching given the HIGH severity rating and potential for unauthenticated remote compromise.

Technical summary

The vulnerability stems from unsafe use of `popen()` in `qmail-remote.c`'s `notlshosts_auto` function. The `tls_quit` parameter, which can be influenced by remote TLS handshake behavior, is incorporated into a shell command without adequate sanitization. This classic command injection pattern enables arbitrary code execution with the privileges of the qmail-remote process. The attack requires network access to the mail server and successful TLS negotiation, contributing to the high attack complexity rating. The fix eliminates the unsafe `popen()` usage in favor of safer alternatives.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade sagredo qmail to version 2026.04.07 or later to remediate this vulnerability.
• Review mail server configurations to confirm deployment of patched versions.
• Monitor for anomalous process execution or network connections originating from qmail-remote processes.
• Consider network segmentation for mail transfer agents to limit exposure of this attack surface.

Evidence notes

The vulnerability was identified through security research involving automated auditing. The fix was committed to the sagredo-dev/qmail repository and released as version 2026.04.07. The NVD record shows deferred status as of the last modification date.

Official resources