Second-Order SQL Injection in Mailcow Dockerized Open Source Suite
CVE-2026-40871

7.2HIGH

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40871?

Mailcow: dockerized, an open-source groupware and email suite, is susceptible to a second-order SQL injection due to improper handling of the quarantine_category field via the Mailcow API. Specifically, the vulnerability arises from the /api/v1/add/mailbox endpoint, which inadequately stores the quarantine_category without any validation or sanitization measures. This flaw allows attackers to craft SQL queries with unsafe string formatting instead of utilizing parameterized queries. Consequently, when the quarantine notification job runs, it becomes possible for an attacker to inject arbitrary SQL code. This can lead to severe data breaches, as sensitive information, such as admin credentials, could be leaked through the quarantine notification emails. The issue is resolved in version 2026-03b.

Affected Version(s)

mailcow-dockerized < 2026-03b

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40871 Data

JSON