Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
Published: 2026-04-21
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach
Action: Patch
AI Analysis

Impact

The vulnerability exists in mailcow‑dockerized versions older than 2026‑03b. The user dashboard logs the client IP from the X‑Real‑IP header without applying HTML escaping, so an attacker can embed malicious HTML or JavaScript in that field. Although the flaw is a stored self‑XSS, a Login CSRF can force a victim to log into an attacker‑controlled account; the injected script then runs in the victim’s browser and can read the content of the victim’s mail in the previous tab, exposing private information.

Affected Systems

The affected product is the mailcow‑dockerized groupware/email suite. All releases prior to the 2026‑03b tag are vulnerable. The fix was committed in that tag and later releases do not contain the flaw.

Risk and Exploitability

With a CVSS score of 7, the issue is considered high‑severity. An EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog, indicating limited publicly documented exploitation. The flaw relies on a trusted X‑Real‑IP header that many deployments accept unvalidated, which an attacker can supply. Because it is a self‑XSS that requires end‑user interaction, the attacker must trick the victim into executing the payload—this can be achieved through a Login CSRF that forces the victim to log in to a compromised account. Once the payload runs, it can arbitrarily read the victim’s email data, causing a confidentiality breach.

Generated by OpenCVE AI on April 22, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mailcow‑dockerized to version 2026‑03b or later, which properly escapes the X‑Real‑IP input.
  • If an immediate upgrade is not feasible, reconfigure the external reverse‑proxy to remove or strictly validate the X‑Real‑IP header before it reaches the application, ensuring only trusted internal sources can provide that header.
  • As an alternative interim measure, restrict access to the /login endpoint by requiring an anti‑CSRF token or by limiting login requests to authenticated internal sources, thereby mitigating the likelihood that a Login CSRF can trigger the self‑XSS.

Generated by OpenCVE AI on April 22, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mailcow
Mailcow mailcow Dockerized
Vendors & Products Mailcow
Mailcow mailcow Dockerized

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
Title mailcow: dockerized vulnerable to stored XSS in user login history real_rip
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mailcow Mailcow Dockerized
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:24.334Z

Reserved: 2026-04-15T15:57:41.718Z

Link: CVE-2026-40875

cve-icon Vulnrichment

Updated: 2026-04-21T19:53:12.403Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:17:01.120

Modified: 2026-04-21T21:16:43.477

Link: CVE-2026-40875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:45Z

Weaknesses