Cyber Resilience

CVE-2026-40871

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40871 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40871 is a second-order SQL injection vulnerability affecting mailcow: dockerized, an open source groupware and email suite based on Docker. Versions prior to 2026-03b are vulnerable due to improper handling of the quarantine_category field in the Mailcow API. Specifically, the /api/v1/add/mailbox endpoint accepts and stores this field without validation or sanitization, and the value is later incorporated into SQL queries in quarantine_notify.py using unsafe % string formatting rather than parameterized queries.

An attacker with high privileges (PR:H per CVSS 3.1 score of 7.2) can exploit this by submitting a malicious quarantine_category value via the API. The injection occurs delayed during execution of the quarantine notification job, enabling arbitrary SQL execution. Attackers can use techniques like UNION SELECT to exfiltrate sensitive data, such as admin credentials, which gets rendered and exposed in quarantine notification emails.

The official GitHub security advisory (GHSA-r8fq-wrfm-cj2q) recommends upgrading to version 2026-03b, which addresses the issue by fixing the unsafe SQL query construction in quarantine_notify.py. No additional mitigations are detailed beyond the patch.

EU & UK References

Vulnerability details

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value…

more

is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

SQL injection in mailcow API endpoint allows arbitrary SQL execution for credential exfiltration (T1212); vulnerability in public-facing web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32714Shared CWE-89
CVE-2025-20620Shared CWE-89
CVE-2026-25773Shared CWE-89
CVE-2025-27378Shared CWE-20, CWE-89
CVE-2026-4594Shared CWE-564, CWE-89
CVE-2015-20121Shared CWE-89
CVE-2019-25539Shared CWE-89
CVE-2025-0347Shared CWE-89
CVE-2025-1952Shared CWE-89
CVE-2025-1954Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the quarantine_category input at the Mailcow API to prevent storage of SQL injection payloads executed later in quarantine_notify.py.

prevent

Ensures timely remediation of the SQL injection flaw by patching to version 2026-03b, which fixes unsafe SQL query construction.

detect

Vulnerability scanning identifies the second-order SQL injection in the quarantine_category handling prior to exploitation.

References