<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mailcow: Dockerized - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mailcow-dockerized/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mailcow-dockerized/feed.xml" rel="self" type="application/rss+xml"/><item><title>mailcow: dockerized Second-Order SQL Injection Vulnerability (CVE-2026-40871)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-mailcow-sql-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-mailcow-sql-injection/</guid><description>A second-order SQL injection vulnerability (CVE-2026-40871) exists in mailcow: dockerized versions prior to 2026-03b due to improper validation of the quarantine_category field in the /api/v1/add/mailbox endpoint, leading to potential exfiltration of sensitive data.</description><content:encoded><![CDATA[<p>Mailcow: dockerized, an open-source groupware/email suite based on Docker, is vulnerable to a second-order SQL injection (CVE-2026-40871) in versions prior to 2026-03b. The vulnerability lies in the <code>/api/v1/add/mailbox</code> endpoint, which stores the <code>quarantine_category</code> field without proper validation or sanitization. This unsanitized value is subsequently used by the <code>quarantine_notify.py</code> script when constructing SQL queries. The script employs unsafe string formatting (<code>%</code>) instead of parameterized queries, which enables an attacker to inject arbitrary SQL code. This SQL injection is triggered when the quarantine notification job executes. This allows attackers to exfiltrate sensitive data. The vulnerability is fixed in version 2026-03b.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious API request to the <code>/api/v1/add/mailbox</code> endpoint.</li>
<li>The malicious request includes a crafted <code>quarantine_category</code> value containing SQL injection payloads.</li>
<li>The mailcow application stores the unsanitized <code>quarantine_category</code> value in the database.</li>
<li>The <code>quarantine_notify.py</code> script is executed as part of the quarantine notification job.</li>
<li><code>quarantine_notify.py</code> constructs a SQL query using the stored, malicious <code>quarantine_category</code> value and unsafe string formatting.</li>
<li>The injected SQL code is executed against the database, allowing the attacker to perform arbitrary SQL operations.</li>
<li>The attacker uses <code>UNION SELECT</code> statements to extract sensitive data, such as admin credentials.</li>
<li>The extracted data is included in quarantine notification emails, potentially exposing it to the attacker or other unintended recipients.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to inject arbitrary SQL commands into the mailcow: dockerized database. This could lead to the exfiltration of sensitive information, such as admin credentials, API keys, or user data. The exfiltrated data can then be used for further malicious activities, including account takeover, data breaches, or privilege escalation. Although the exact number of potential victims is unknown, any mailcow: dockerized instance running a version prior to 2026-03b is susceptible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade mailcow: dockerized to version 2026-03b or later to patch CVE-2026-40871.</li>
<li>Implement input validation and sanitization for the <code>quarantine_category</code> field in the <code>/api/v1/add/mailbox</code> endpoint to prevent SQL injection attacks.</li>
<li>Deploy the Sigma rule <code>Detect Mailcow Unsafe Quarantine Category Update</code> to detect suspicious API requests containing potential SQL injection payloads targeting the <code>/api/v1/add/mailbox</code> endpoint.</li>
<li>Review and update the <code>quarantine_notify.py</code> script to use parameterized queries instead of unsafe string formatting to prevent SQL injection vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>mailcow</category><category>cve-2026-40871</category><category>webserver</category></item></channel></rss>