CVE-2026-40872 Overview
CVE-2026-40872 is a critical stored Cross-Site Scripting (XSS) vulnerability in mailcow: dockerized, an open source groupware/email suite based on Docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JavaScript, the payload is stored in Redis and executed when an admin views the Autodiscover logs.
Critical Impact
Unauthenticated attackers can inject malicious scripts that execute in the context of an administrator's browser session, potentially leading to full administrative account compromise, data theft, or lateral movement within the mail infrastructure.
Affected Products
- mailcow: dockerized versions prior to 2026-03b
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40872 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40872
Vulnerability Analysis
This stored Cross-Site Scripting vulnerability occurs in the admin dashboard's Autodiscover log viewer component. The Autodiscover protocol is used by email clients to automatically configure account settings, and mailcow logs these requests for administrative review. When processing Autodiscover requests, the application stores the submitted EMailAddress field in Redis without proper sanitization. Subsequently, when an administrator views the Autodiscover logs through the dashboard, the logged email address values are rendered directly into the HTML without proper output encoding, allowing any embedded JavaScript or HTML to execute in the administrator's browser context.
The vulnerability is particularly dangerous because it requires no authentication to exploit. An attacker simply needs to submit a malicious Autodiscover request to the target mailcow instance with a specially crafted EMailAddress value containing a JavaScript payload. The attack remains dormant until an administrator views the logs, at which point the stored payload executes with the full privileges of the admin session.
Root Cause
The root cause is improper output encoding (CWE-79) in the admin dashboard's log rendering functionality. The application fails to apply HTML escaping to user-controlled data stored in the Autodiscover logs before including it in the admin interface HTML output. This allows user-supplied input from the EMailAddress field to break out of the expected HTML context and inject arbitrary scripts.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by sending a crafted Autodiscover request to the vulnerable mailcow instance. The malicious payload in the EMailAddress field gets stored in Redis as part of the normal logging process. When an administrator accesses the Autodiscover logs section of the admin dashboard, the browser renders the stored payload as executable code.
The attack requires user interaction from an administrator (viewing the logs), but the attacker has no prerequisites beyond network access to the mailcow Autodiscover endpoint. Successful exploitation could allow the attacker to steal administrator session cookies, perform actions as the administrator, modify mail server configurations, access sensitive email data, or establish persistence within the mail infrastructure.
For technical details on the vulnerability mechanism and exploitation, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40872
Indicators of Compromise
- Unusual Autodiscover requests containing HTML tags or JavaScript syntax in the EMailAddress field
- Autodiscover log entries with suspicious content such as <script>, onerror=, onload=, or other event handlers
- Unexpected administrator session activity or authentication events following log review
- Redis entries containing encoded or obfuscated JavaScript payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block Autodiscover requests containing HTML/JavaScript in email address fields
- Monitor web server access logs for Autodiscover requests with abnormally long or encoded email parameters
- Deploy endpoint detection to identify unusual browser behavior during admin dashboard access
- Review Redis logs and stored data for suspicious content patterns
Monitoring Recommendations
- Enable detailed logging for all Autodiscover endpoint requests
- Set up alerts for administrator dashboard access patterns that deviate from normal behavior
- Monitor for new or modified administrator accounts that may indicate session compromise
- Implement Content Security Policy (CSP) headers to detect and report XSS attempts
How to Mitigate CVE-2026-40872
Immediate Actions Required
- Upgrade mailcow: dockerized to version 2026-03b or later immediately
- Review Autodiscover logs for evidence of exploitation attempts prior to patching
- Invalidate and rotate all administrator session tokens after updating
- Audit recent administrator activity for signs of unauthorized access
Patch Information
Version 2026-03b of mailcow: dockerized addresses this vulnerability by implementing proper HTML escaping for the EMailAddress value when rendering Autodiscover logs in the admin dashboard. Administrators should update their mailcow installations to this version or later. For update instructions and additional details, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the admin dashboard using network-level controls such as firewall rules or VPN requirements until the patch can be applied
- Implement a reverse proxy with WAF capabilities to filter potentially malicious Autodiscover requests
- Temporarily disable logging of Autodiscover requests if feasible for your environment
- Use browser extensions that block JavaScript execution when reviewing untrusted log data
# Example: Restrict admin dashboard access via iptables
iptables -A INPUT -p tcp --dport 443 -s <trusted_admin_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
