CVE-2026-27602

Summary

exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.

Details

The root cause is in modoboa/lib/sysutils.py:31:

kwargs["shell"] = True
process = subprocess.Popen(cmd, **kwargs)

When a create a domain is created with DKIM enabled, the domain name gets embedded into a shell command like this:

exec_cmd(f"openssl genrsa -out {dkim_storage_dir}/{domain.name}.pem {key_size}")

If the domain name contains something like $(id>/tmp/proof).example.com, the shell executes the injected command before running openssl.

The same pattern appears in several other places:

• modoboa/admin/jobs.py:38 — mailbox rename via mv using full_address
• modoboa/amavis/lib.py:202 — sa-learn using domain.name
• modoboa/admin/models/mailbox.py:150 — doveadm user using full_address
• modoboa/maillog/graphics.py:105–107 — rrdtool using domain.name
• modoboa/webmail/models.py:54–57 — doveadm move/delete using account.email

PoC

1. Deploy modoboa <= 2.7.0
2. Log in as a Reseller or SuperAdmin
3. Create a new domain named $(id>/tmp/proof).example.com with DKIM enabled
4. SSH into the server and read /tmp/proof

Something like this will be displayed:

uid=0(root) gid=0(root) groups=0(root)

Confirmed on commit b521bcb4f (latest main at time of discovery).

Impact

An attacker with Reseller-level access (or higher) can execute arbitrary OS commands on the mail server — in a typical Modoboa deployment this means running as root. All six identified sinks are reachable through normal application workflows.