CVE-2026-40871
Published: 21 April 2026
Summary
CVE-2026-40871 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40871 is a second-order SQL injection vulnerability affecting mailcow: dockerized, an open source groupware and email suite based on Docker. Versions prior to 2026-03b are vulnerable due to improper handling of the quarantine_category field in the Mailcow API. Specifically, the /api/v1/add/mailbox endpoint accepts and stores this field without validation or sanitization, and the value is later incorporated into SQL queries in quarantine_notify.py using unsafe % string formatting rather than parameterized queries.
An attacker with high privileges (PR:H per CVSS 3.1 score of 7.2) can exploit this by submitting a malicious quarantine_category value via the API. The injection occurs delayed during execution of the quarantine notification job, enabling arbitrary SQL execution. Attackers can use techniques like UNION SELECT to exfiltrate sensitive data, such as admin credentials, which gets rendered and exposed in quarantine notification emails.
The official GitHub security advisory (GHSA-r8fq-wrfm-cj2q) recommends upgrading to version 2026-03b, which addresses the issue by fixing the unsafe SQL query construction in quarantine_notify.py. No additional mitigations are detailed beyond the patch.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24253
Vulnerability details
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value…
more
is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in mailcow API endpoint allows arbitrary SQL execution for credential exfiltration (T1212); vulnerability in public-facing web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the quarantine_category input at the Mailcow API to prevent storage of SQL injection payloads executed later in quarantine_notify.py.
Ensures timely remediation of the SQL injection flaw by patching to version 2026-03b, which fixes unsafe SQL query construction.
Vulnerability scanning identifies the second-order SQL injection in the quarantine_category handling prior to exploitation.