CVE-2026-41113

HighRCEUpdated

Published: 16 April 2026

Published

16 April 2026

Modified

19 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41113 is a high-severity OS Command Injection (CWE-78) vulnerability in Calif (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by patching the popen-based command injection vulnerability in sagredo qmail before 2026.04.07 as fixed in commit 749f607f.

SI-10 Information Input Validation good match

prevent

Prevents OS command injection (CWE-78) by validating inputs to the notlshosts_auto function in qmail-remote.c before passing to popen during tls_quit processing.

SI-4 System Monitoring partial match

detect

Monitors qmail server for indicators of exploitation such as anomalous processes or network activity from the remote tls_quit-triggered RCE attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection RCE in public-facing qmail mail server enables remote exploitation (T1190) and arbitrary Unix shell command execution via popen() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

Deeper analysisAI

CVE-2026-41113 is a remote code execution vulnerability affecting sagredo qmail versions before 2026.04.07. The flaw arises from the use of popen() in the notlshosts_auto function within qmail-remote.c, which can be triggered via tls_quit. It has been classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables arbitrary code execution on the qmail server, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation is provided by updating to sagredo qmail version 2026.04.07 or later, released at https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07. The fix is implemented in commit 749f607f6885e3d01b36f2647d7a1db88f1ef741, merged via pull request #42 at https://github.com/sagredo-dev/qmail/pull/42.

The vulnerability was discovered through an AI-assisted audit using Claude, as documented in https://blog.calif.io/p/we-asked-claude-to-audit-sagredos and supporting materials at https://github.com/califio/publications/tree/main/MADBugs/qmail. No evidence of real-world exploitation is available in the provided references.