{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40871", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T19:12:52.781Z", "dateUpdated": "2026-04-21T20:36:30.751Z"}, "containers": {"cna": {"title": "mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-564", "lang": "en", "description": "CWE-564: SQL Injection: Hibernate", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"version": "< 2026-03b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:12:52.781Z"}, "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability."}], "source": {"advisory": "GHSA-r8fq-wrfm-cj2q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:53:34.653739Z", "id": "CVE-2026-40871", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:30.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40871", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:53:34.653739Z"}}}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:53:44.291Z"}}], "cna": {"title": "mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API", "source": {"advisory": "GHSA-r8fq-wrfm-cj2q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"status": "affected", "version": "< 2026-03b"}]}], "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q", "name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-564", "description": "CWE-564: SQL Injection: Hibernate"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:12:52.781Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40871", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:30.751Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:12:52.781Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability."}], "id": "CVE-2026-40871", "lastModified": "2026-04-21T21:16:43.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:00.527", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-564"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T05:33:05.246004+00:00", "value": {"mitigation_remediation": ["Upgrade mailcow\u2011dockerized to version 2026-03b or later to install the vendor\u2011supplied fix.", "Restrict or disable the /api/v1/add/mailbox API endpoint for untrusted users and enforce strict authentication for remaining API traffic.", "Implement server\u2011side input validation and replace unsafe string formatting with parameterized queries for the quarantine_category field."], "summary": {"action": "Immediate Patch", "impact": "Data Exfiltration"}, "threat_synthesis": {"affected_systems": "Affected are installations of mailcow:mailcow-dockerized running any version prior to 2026-03b. The vulnerability was addressed in the 2026-03b release, and any newer version is considered fixed.", "description_and_impact": "A second\u2011order SQL injection exists in mailcow:mailcow-dockerized where the quarantine_category field from the /api/v1/add/mailbox endpoint is stored without validation. When the quarantine_notify.py process later builds SQL queries using unsafe string formatting, an attacker can inject arbitrary SQL such as a UNION SELECT, allowing extraction of sensitive data like administrator credentials. The flaw does not enable immediate code execution but can compromise the database and disclose confidential information.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote through the API, requiring authenticated access to the /api/v1/add/mailbox endpoint. An attacker who can send a crafted request and later trigger the quarantine notification job can execute arbitrary SQL queries against the database, leading to data exfiltration."}}}}, "created": "2026-04-22T05:45:09.819695+00:00", "updated": "2026-04-22T05:45:09.819706+00:00", "vendors": []}