PT-2026-34055 · Mailcow · Mailcow
Published
2026-04-21
·
Updated
2026-04-21
·
CVE-2026-40874
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
mailcow: dockerized versions prior to 2026-03b
Description
An issue exists where no administrator verification is performed when deleting Forwarding Hosts via the '/api/v1/delete/fwdhost' endpoint. Any authenticated user can call this API, which may lead to significant disruption of the mail service. While checks are applied to edit and add actions, they are missing for deletion.
Recommendations
Update to version 2026-03b.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mailcow