{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mailcow-dockerized/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-40871"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mailcow: dockerized"],"_cs_severities":["high"],"_cs_tags":["sql-injection","mailcow","cve-2026-40871","webserver"],"_cs_type":"advisory","_cs_vendors":["mailcow"],"content_html":"\u003cp\u003eMailcow: dockerized, an open-source groupware/email suite based on Docker, is vulnerable to a second-order SQL injection (CVE-2026-40871) in versions prior to 2026-03b. The vulnerability lies in the \u003ccode\u003e/api/v1/add/mailbox\u003c/code\u003e endpoint, which stores the \u003ccode\u003equarantine_category\u003c/code\u003e field without proper validation or sanitization. This unsanitized value is subsequently used by the \u003ccode\u003equarantine_notify.py\u003c/code\u003e script when constructing SQL queries. The script employs unsafe string formatting (\u003ccode\u003e%\u003c/code\u003e) instead of parameterized queries, which enables an attacker to inject arbitrary SQL code. This SQL injection is triggered when the quarantine notification job executes. This allows attackers to exfiltrate sensitive data. The vulnerability is fixed in version 2026-03b.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious API request to the \u003ccode\u003e/api/v1/add/mailbox\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a crafted \u003ccode\u003equarantine_category\u003c/code\u003e value containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe mailcow application stores the unsanitized \u003ccode\u003equarantine_category\u003c/code\u003e value in the database.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003equarantine_notify.py\u003c/code\u003e script is executed as part of the quarantine notification job.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003equarantine_notify.py\u003c/code\u003e constructs a SQL query using the stored, malicious \u003ccode\u003equarantine_category\u003c/code\u003e value and unsafe string formatting.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the database, allowing the attacker to perform arbitrary SQL operations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eUNION SELECT\u003c/code\u003e statements to extract sensitive data, such as admin credentials.\u003c/li\u003e\n\u003cli\u003eThe extracted data is included in quarantine notification emails, potentially exposing it to the attacker or other unintended recipients.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject arbitrary SQL commands into the mailcow: dockerized database. This could lead to the exfiltration of sensitive information, such as admin credentials, API keys, or user data. The exfiltrated data can then be used for further malicious activities, including account takeover, data breaches, or privilege escalation. Although the exact number of potential victims is unknown, any mailcow: dockerized instance running a version prior to 2026-03b is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade mailcow: dockerized to version 2026-03b or later to patch CVE-2026-40871.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003equarantine_category\u003c/code\u003e field in the \u003ccode\u003e/api/v1/add/mailbox\u003c/code\u003e endpoint to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mailcow Unsafe Quarantine Category Update\u003c/code\u003e to detect suspicious API requests containing potential SQL injection payloads targeting the \u003ccode\u003e/api/v1/add/mailbox\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and update the \u003ccode\u003equarantine_notify.py\u003c/code\u003e script to use parameterized queries instead of unsafe string formatting to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-mailcow-sql-injection/","summary":"A second-order SQL injection vulnerability (CVE-2026-40871) exists in mailcow: dockerized versions prior to 2026-03b due to improper validation of the quarantine_category field in the /api/v1/add/mailbox endpoint, leading to potential exfiltration of sensitive data.","title":"mailcow: dockerized Second-Order SQL Injection Vulnerability (CVE-2026-40871)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-mailcow-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Mailcow: Dockerized","version":"https://jsonfeed.org/version/1.1"}