mailcow: dockerized Second-Order SQL Injection Vulnerability (CVE-2026-40871)
A second-order SQL injection vulnerability (CVE-2026-40871) exists in mailcow: dockerized versions prior to 2026-03b due to improper validation of the quarantine_category field in the /api/v1/add/mailbox endpoint, leading to potential exfiltration of sensitive data.
Mailcow: dockerized, an open-source groupware/email suite based on Docker, is vulnerable to a second-order SQL injection (CVE-2026-40871) in versions prior to 2026-03b. The vulnerability lies in the /api/v1/add/mailbox endpoint, which stores the quarantine_category field without proper validation or sanitization. This unsanitized value is subsequently used by the quarantine_notify.py script when constructing SQL queries. The script employs unsafe string formatting (%) instead of parameterized queries, which enables an attacker to inject arbitrary SQL code. This SQL injection is triggered when the quarantine notification job executes. This allows attackers to exfiltrate sensitive data. The vulnerability is fixed in version 2026-03b.
Attack Chain
- An attacker crafts a malicious API request to the
/api/v1/add/mailboxendpoint. - The malicious request includes a crafted
quarantine_categoryvalue containing SQL injection payloads. - The mailcow application stores the unsanitized
quarantine_categoryvalue in the database. - The
quarantine_notify.pyscript is executed as part of the quarantine notification job. quarantine_notify.pyconstructs a SQL query using the stored, maliciousquarantine_categoryvalue and unsafe string formatting.- The injected SQL code is executed against the database, allowing the attacker to perform arbitrary SQL operations.
- The attacker uses
UNION SELECTstatements to extract sensitive data, such as admin credentials. - The extracted data is included in quarantine notification emails, potentially exposing it to the attacker or other unintended recipients.
Impact
Successful exploitation of this vulnerability allows attackers to inject arbitrary SQL commands into the mailcow: dockerized database. This could lead to the exfiltration of sensitive information, such as admin credentials, API keys, or user data. The exfiltrated data can then be used for further malicious activities, including account takeover, data breaches, or privilege escalation. Although the exact number of potential victims is unknown, any mailcow: dockerized instance running a version prior to 2026-03b is susceptible.
Recommendation
- Upgrade mailcow: dockerized to version 2026-03b or later to patch CVE-2026-40871.
- Implement input validation and sanitization for the
quarantine_categoryfield in the/api/v1/add/mailboxendpoint to prevent SQL injection attacks. - Deploy the Sigma rule
Detect Mailcow Unsafe Quarantine Category Updateto detect suspicious API requests containing potential SQL injection payloads targeting the/api/v1/add/mailboxendpoint. - Review and update the
quarantine_notify.pyscript to use parameterized queries instead of unsafe string formatting to prevent SQL injection vulnerabilities.
Detection coverage 2
Detect Mailcow Unsafe Quarantine Category Update
highDetects suspicious API requests to /api/v1/add/mailbox with potential SQL injection in the quarantine_category parameter
Detect Mailcow Quarantine Notify SQL Injection via Audit Logs
criticalDetects SQL injection attempts by monitoring application audit logs for suspicious patterns originating from quarantine_notify.py interacting with the database.
Detection queries are available on the platform. Get full rules →