Mailcow SQLi: Second-Order Vulnerability in Quarantine Notifications

The National Vulnerability Database has detailed CVE-2026-40871, a critical second-order SQL injection vulnerability impacting mailcow: dockerized versions prior to 2026-03b. This flaw stems from improper handling of the quarantine_category field via the Mailcow API’s /api/v1/add/mailbox endpoint. The input is stored without validation and later used unsafely by quarantine_notify.py when constructing SQL queries, leading to arbitrary SQL execution during the quarantine notification job.

This isn’t a speculative risk. An attacker can leverage a UNION SELECT statement to exfiltrate sensitive data, including critical admin credentials, directly within the quarantine notification emails. The CVSS score of 7.2 (HIGH) is well-deserved; this is a direct path to sensitive data and potentially full system compromise for any exposed mailcow instance. It highlights a common developer pitfall: assuming data is safe after initial storage, only for it to be misused downstream.

Defenders running mailcow: dockerized must prioritize patching to version 2026-03b immediately. Beyond patching, this serves as a stark reminder that input validation and parameterized queries are non-negotiable at every stage of data processing, especially when data persists and is reused in backend operations. Attackers will always look for these delayed execution paths.