CVE-2026-40875 Overview
CVE-2026-40875 is a Cross-Site Scripting (XSS) vulnerability affecting mailcow: dockerized, an open source groupware/email suite based on Docker. The vulnerability exists in the user dashboard's "Seen successful connections" (login history) feature, which renders the client IP from login logs without proper HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject malicious HTML or JavaScript code into this field.
This Self-XSS vulnerability becomes exploitable through a Login CSRF attack chain. An attacker can force the victim into the attacker's controlled account, and subsequently read emails displayed in a previous browser tab, leading to potential information disclosure.
Critical Impact
Attackers can chain Self-XSS with Login CSRF to hijack user sessions and access sensitive email content through header injection in the login history display.
Affected Products
- mailcow: dockerized versions prior to 2026-03b
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40875 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40875
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The core issue stems from insufficient input validation and output encoding in the mailcow dashboard's login history feature.
When users view their "Seen successful connections" in the dashboard, the application displays IP addresses from login logs. However, the server relies on the X-Real-IP HTTP header to determine and log the client's source IP address. This header is user-controllable and can be manipulated by attackers to contain arbitrary content, including HTML and JavaScript payloads.
The vulnerability requires an attack chain to be exploited effectively: an attacker first crafts a malicious login request with XSS payload in the X-Real-IP header, then uses Login CSRF to force the victim to authenticate into the attacker's account. Once the victim views the login history, the injected script executes in their browser context, potentially allowing the attacker to exfiltrate data from other browser tabs containing the victim's legitimate mailcow session.
Root Cause
The root cause of CVE-2026-40875 is the lack of proper HTML escaping when rendering the client IP address from login logs in the user dashboard. The application directly outputs the logged IP value into the HTML response without sanitization. Combined with the server's trust of the X-Real-IP header for logging purposes, this creates an injection point that attackers can exploit to insert malicious scripts.
Attack Vector
The attack leverages a network-based vector requiring user interaction. The exploitation chain involves:
- An attacker crafts a malicious X-Real-IP header containing JavaScript payload
- The attacker logs into their own mailcow account with this modified header
- The malicious IP is stored in the attacker's login history logs
- Using Login CSRF, the attacker forces the victim to authenticate into the attacker's account
- When the victim views the login history in the dashboard, the XSS payload executes
- The script can then access data from other browser tabs or perform actions on behalf of the victim
The attack requires the attacker to have privileged access to create an account and depends on the victim having another authenticated mailcow session open in a separate browser tab.
Detection Methods for CVE-2026-40875
Indicators of Compromise
- Unusual or malformed entries in login history logs containing HTML/JavaScript content
- Login records with X-Real-IP values that don't match valid IP address formats
- Unexpected authentication sessions where users report being logged into unfamiliar accounts
Detection Strategies
- Monitor web server logs for HTTP requests containing script tags or JavaScript in the X-Real-IP header
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Review login history database entries for non-IP formatted values indicating injection attempts
Monitoring Recommendations
- Enable logging for all authentication events and correlate with user session activity
- Set up alerts for Login CSRF patterns such as cross-origin authentication requests without proper CSRF tokens
- Monitor for anomalous browser behavior indicating script injection in the dashboard interface
How to Mitigate CVE-2026-40875
Immediate Actions Required
- Upgrade mailcow: dockerized to version 2026-03b or later immediately
- Review login history logs for any evidence of exploitation or unusual IP entries
- Implement strict input validation on the X-Real-IP header at the reverse proxy or web server level
Patch Information
The vulnerability is fixed in mailcow: dockerized version 2026-03b. Organizations should upgrade to this version or later to remediate the XSS vulnerability. The patch implements proper HTML escaping when rendering client IP addresses in the login history display. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Configure the reverse proxy to validate and sanitize the X-Real-IP header, rejecting values that don't match valid IP address patterns
- Implement Content Security Policy (CSP) headers to mitigate the impact of XSS by blocking inline script execution
- Disable or restrict access to the login history feature until the patch can be applied
- Train users to be cautious of unexpected login prompts that could indicate CSRF attacks
# Example nginx configuration to validate X-Real-IP header
# Add to your nginx server block for mailcow
map $http_x_real_ip $validated_real_ip {
default "";
"~^([0-9]{1,3}\.){3}[0-9]{1,3}$" $http_x_real_ip;
"~^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$" $http_x_real_ip;
}
# Use $validated_real_ip instead of $http_x_real_ip in your proxy configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
