Unauthenticated Deletion Vulnerability in mailcow: dockerized Email Suite
CVE-2026-40874

6MEDIUM

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40874?

The mailcow: dockerized email suite, a popular open-source solution, is subject to an unauthenticated API access vulnerability. In earlier versions, specifically before 2026-03b, there are no administrative checks enforced when an authenticated user attempts to delete Forwarding Hosts via the /api/v1/delete/fwdhost endpoint. This lack of validation can allow any authenticated user to disrupt email services significantly by deleting essential forwarding configurations, posing a risk to business continuity. The latest version, 2026-03b, addresses and fixes this security concern.

Affected Version(s)

mailcow-dockerized < 2026-03b

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40874 Data

JSON

Mailcow

What is CVE-2026-40874?

Affected Version(s)

References

CVSS V4

Timeline