Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Published: 2026-04-21
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of forwarding hosts
Action: Apply patch
AI Analysis

Impact

mailcow:dockerized contains an API endpoint /api/v1/delete/fwdhost that allows any authenticated user to delete forwarding host configurations without administrator verification, potentially disrupting mail delivery for users relying on those routes. This flaw represents insufficient authorization (CWE‑284) and may lead to service disruption.

Affected Systems

The affected product is mailcow:mailcow-dockerized. All releases prior to the 2026-03b patch are impacted by this missing authorization check.

Risk and Exploitability

The CVSS score of 6.0 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed exploitation yet. The API can be accessed over the network by any authenticated user, so an attacker who obtains valid credentials can delete forwarding hosts, causing mail delivery issues. The risk to availability and potential for email loss warrants prompt attention.

Generated by OpenCVE AI on April 22, 2026 at 05:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mailcow:dockerized to version 2026-03b or later, which removes the missing authorization check.
  • Configure API access control so that only users with the admin role can invoke the /api/v1/delete/fwdhost endpoint, adjusting mailcow user management or applying custom middleware to enforce role‑based access.
  • Audit existing forwarding host configurations and remove any that are no longer required, minimizing the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 05:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mailcow
Mailcow mailcow Dockerized
Vendors & Products Mailcow
Mailcow mailcow Dockerized

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Title mailcow: dockerized missing authorization on Forwarding Hosts delete action
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mailcow Mailcow Dockerized
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:53:36.285Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40874

cve-icon Vulnrichment

Updated: 2026-04-21T19:53:32.280Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:00.977

Modified: 2026-04-21T20:17:00.977

Link: CVE-2026-40874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:47Z

Weaknesses