GHSA-wwv8-cqpr-vx3m

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwv8-cqpr-vx3m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wwv8-cqpr-vx3m/GHSA-wwv8-cqpr-vx3m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wwv8-cqpr-vx3m
Aliases
  • CVE-2026-27602
Published
2026-03-25T17:03:37Z
Modified
2026-03-25T17:18:34.837766Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Modoboa has OS Command Injection
Details

Summary

exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.

Details

The root cause is in modoboa/lib/sysutils.py:31:

kwargs["shell"] = True
process = subprocess.Popen(cmd, **kwargs)

When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:

exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")

If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.

The same pattern appears in several other places:

  • modoboa/admin/jobs.py:38 — mailbox rename via mv using full_address
  • modoboa/amavis/lib.py:202sa-learn using domain.name
  • modoboa/admin/models/mailbox.py:150doveadm user using full_address
  • modoboa/maillog/graphics.py:105–107rrdtool using domain.name
  • modoboa/webmail/models.py:54–57doveadm move/delete using account.email

PoC

  1. Deploy modoboa <= 2.7.0
  2. Log in as a Reseller or SuperAdmin
  3. Create a new domain named $(id>/tmp/proof).example.com with DKIM enabled
  4. SSH into the server and read /tmp/proof

Something like this will be displayed:

uid=0(root) gid=0(root) groups=0(root)

Confirmed on commit b521bcb4f (latest main at time of discovery).

Impact

An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server — in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:03:37Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

PyPI / modoboa

Package

Name
modoboa
View open source insights on deps.dev
Purl
pkg:pypi/modoboa

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.1

Affected versions

0.*
0.7.0
1.*
1.2.0-rc2
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.8.2
1.8.3
1.9.0
1.9.1
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.11.0
1.11.1
1.12.0
1.12.1
1.12.2
1.13.0
1.13.1
1.14.0
1.15.0
1.16.0
1.16.1
1.17.0
2.*
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2.dev0
2.1.2
2.1.3.dev0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0b1
2.3.0b2
2.3.0b3
2.3.0b4
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7.0

Database specific

last_known_affected_version_range 
"<= 2.7.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wwv8-cqpr-vx3m/GHSA-wwv8-cqpr-vx3m.json"