Description
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
Published: 2026-04-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Immediate Patch
AI Analysis

Impact

A second‑order SQL injection exists in mailcow:mailcow-dockerized where the quarantine_category field from the /api/v1/add/mailbox endpoint is stored without validation. When the quarantine_notify.py process later builds SQL queries using unsafe string formatting, an attacker can inject arbitrary SQL such as a UNION SELECT, allowing extraction of sensitive data like administrator credentials. The flaw does not enable immediate code execution but can compromise the database and disclose confidential information.

Affected Systems

Affected are installations of mailcow:mailcow-dockerized running any version prior to 2026-03b. The vulnerability was addressed in the 2026-03b release, and any newer version is considered fixed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote through the API, requiring authenticated access to the /api/v1/add/mailbox endpoint. An attacker who can send a crafted request and later trigger the quarantine notification job can execute arbitrary SQL queries against the database, leading to data exfiltration.

Generated by OpenCVE AI on April 22, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mailcow‑dockerized to version 2026-03b or later to install the vendor‑supplied fix.
  • Restrict or disable the /api/v1/add/mailbox API endpoint for untrusted users and enforce strict authentication for remaining API traffic.
  • Implement server‑side input validation and replace unsafe string formatting with parameterized queries for the quarantine_category field.

Generated by OpenCVE AI on April 22, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mailcow
Mailcow mailcow Dockerized
Vendors & Products Mailcow
Mailcow mailcow Dockerized

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
Title mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API
Weaknesses CWE-116
CWE-20
CWE-564
CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Mailcow Mailcow Dockerized
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:30.751Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40871

cve-icon Vulnrichment

Updated: 2026-04-21T19:53:44.291Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:00.527

Modified: 2026-04-21T21:16:43.340

Link: CVE-2026-40871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:50Z

Weaknesses