Cyber Resilience

CVE-2026-41113

HighRCE

Published: 16 April 2026

Published
16 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0085 53.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41113 is a high-severity OS Command Injection (CWE-78) vulnerability in Calif (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41113 is a remote code execution vulnerability affecting sagredo qmail versions before 2026.04.07. The flaw arises from the use of popen() in the notlshosts_auto function within qmail-remote.c, which can be triggered via tls_quit. It has been classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables arbitrary code execution on the qmail server, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation is provided by updating to sagredo qmail version 2026.04.07 or later, released at https://github.com/sagredo-dev/qmail/releases/tag/v2026.04.07. The fix is implemented in commit 749f607f6885e3d01b36f2647d7a1db88f1ef741, merged via pull request #42 at https://github.com/sagredo-dev/qmail/pull/42.

The vulnerability was discovered through an AI-assisted audit using Claude, as documented in https://blog.calif.io/p/we-asked-claude-to-audit-sagredos and supporting materials at https://github.com/califio/publications/tree/main/MADBugs/qmail. No evidence of real-world exploitation is available in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection RCE in public-facing qmail mail server enables remote exploitation (T1190) and arbitrary Unix shell command execution via popen() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Calif
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by patching the popen-based command injection vulnerability in sagredo qmail before 2026.04.07 as fixed in commit 749f607f.

prevent

Prevents OS command injection (CWE-78) by validating inputs to the notlshosts_auto function in qmail-remote.c before passing to popen during tls_quit processing.

detect

Monitors qmail server for indicators of exploitation such as anomalous processes or network activity from the remote tls_quit-triggered RCE attempts.

References