CVE-2026-40871

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b

Description A second-order SQL injection exists in the Mailcow API. The endpoint '/api/v1/add/mailbox' stores the quarantine category variable without proper validation or sanitization. This value is subsequently used by the quarantine notify.py function, which constructs SQL queries using unsafe string formatting instead of parameterized queries. This allows an attacker with API access to inject arbitrary SQL, which is executed when the quarantine notification job runs. This can lead to the exfiltration of sensitive data, such as admin credentials, which are then rendered inside quarantine notification emails.

Recommendations Update to version 2026-03b.