Mailcow Patches Critical XSS Flaws Enabling Unauthenticated Account Takeover
Take action: If you run a self-hosted Mailcow email server, update it to version 2026-03b ASAP. These vulnerabilities could let an attacker silently take over your admin account just by sending a crafted email. After updating, also check that your server is configured to only accept the X-Real-IP header from trusted internal proxies, not from the open internet.
Learn More
Mailcow, a popular open-source and self-hosted email server suite, recently addressed three cross-site scripting (XSS) vulnerabilities that could lead to full administrative account takeover. These flaws allow unauthenticated attackers to inject malicious scripts into various parts of the management interface.
Vulnerabilities summary:
- CVE-2026-40872 (CVSS score 9.3) - A stored XSS vulnerability in the Autodiscover logging component that occurs when the system fails to escape the email address field in XML requests. Unauthenticated attackers can send a crafted POST request to the Autodiscover endpoint, which stores a malicious payload in the database. When an administrator views the logs in the dashboard, the script runs in their browser, allowing the attacker to hijack the session and gain full control of the mail server.
- CVE-2026-40873 (CVSS score 8.9) - A stored XSS vulnerability in the Quarantine management interface that triggers when processing malicious attachment filenames. Attackers can send an email containing an EICAR test string to ensure it is quarantined, with the XSS payload embedded in the filename. If an administrator inspects the quarantined item, the unescaped filename executes arbitrary JavaScript, leading to potential administrative account compromise.
- CVE-2026-40875 (CVSS score 7.0) - A stored XSS vulnerability in the login history table that leverages the
X-Real-IPheader to inject malicious code. While initially a self-XSS, attackers can use a Login CSRF attack to force a victim into a controlled account where the payload is active. By chaining this with same-origin access via thewindow.openerproperty, an attacker can exfiltrate sensitive email content from the victim's legitimate session.
The vulnerabilities affect all Mailcow: dockerized installations prior to the 2026-03b release. The flaws are caused by the use of manual HTML string concatenation in JavaScript files such as dashboard.js, quarantine.js, and user.js. These legacy coding patterns failed to implement proper output encoding for user-controlled data before rendering it in the Document Object Model (DOM). This lack of validation allowed unauthenticated inputs from email headers and XML bodies to reach administrative views directly.
Successful exploitation of these vulnerabilities grants attackers access to sensitive communications and administrative configurations. Exposed data items include full email contents and attachments, administrative session tokens and cookies and API credentials and system configuration settings.
Administrators should immediately update their Mailcow instances to version 2026-03b or later. This update, released on March 31, 2026, introduces the escapeHtml() function across all vulnerable sinks to prevent script injection. Organizations should also review their X-Real-IP header configurations to ensure that only trusted proxy servers can set these values, reducing the risk of header-based injection attacks.
