PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40514 SmarterTools Inc. CVE debrief

CVE-2026-40514 is a HIGH-severity vulnerability in SmarterTools SmarterMail builds prior to 9610. The vulnerability is caused by a cryptographic weakness in the file and email sharing endpoints, which use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy. This reduces the seed space to approximately 19,000 possible values, allowing an unauthenticated attacker to use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors. With this information, an attacker can forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content.

Vendor
SmarterTools Inc.
Product
SmarterMail
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-06-04
Advisory published
2026-04-27
Advisory updated
2026-06-04

Who should care

Administrators and users of SmarterTools SmarterMail builds prior to 9610 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability has a CVSS score of 8.2 and is classified as CWE-338. It was published on [cvePublishedAt] and last modified on [cveModifiedAt].

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to SmarterMail build 9610 or later.
  • Review and update any existing sharing tokens.
  • Monitor for suspicious activity on the attachment download endpoint.

Evidence notes

The vulnerability is confirmed by the CVE record [resourceLinkAnnotations:cve-org] and the NVD detail [resourceLinkAnnotations:nvd].

Official resources

CVE-2026-40514 was published on 2026-04-27T15:16:20.160Z and last modified on 2026-06-04T15:28:12.010Z.