CVE-2026-7460 Overview
CVE-2026-7460 is a stored cross-site scripting (XSS) vulnerability in the mailcow-dockerized administrator Queue Manager. The Queue Manager retrieves mail queue entries from the /api/v1/get/mailq/all endpoint and copies server-controlled Postfix queue fields directly into DataTables rows. Several of those fields are rendered as HTML without adequate output encoding, allowing attacker-controlled content to execute in an administrator's browser session. The flaw is tracked under CWE-79 and affects mailcow-dockerized release 2026-03b.
Critical Impact
An attacker who can place crafted content into the Postfix mail queue can execute arbitrary JavaScript in an authenticated administrator's browser, leading to session hijacking, configuration tampering, or full administrative takeover of the mail server.
Affected Products
- mailcow-dockerized version 2026-03b
- Deployments exposing the administrator Queue Manager UI
- Mailcow instances accepting external mail submissions into Postfix
Discovery Timeline
- 2026-05-20 - CVE-2026-7460 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-7460
Vulnerability Analysis
The vulnerability resides in the administrator Queue Manager component of mailcow-dockerized. The frontend issues an authenticated request to /api/v1/get/mailq/all, which returns mail queue metadata sourced from Postfix. The application then assigns several of those fields into DataTables row definitions and renders them as raw HTML.
Because the queue contains fields populated by remote senders, including envelope addresses, recipients, and error reasons, an attacker controls part of the rendered DOM. When the administrator opens the Queue Manager, the browser parses the attacker-supplied markup and executes any embedded script in the administrative origin.
The issue is categorized as stored XSS [CWE-79]: malicious content persists in the mail queue and triggers on each subsequent view by privileged users. Exploitation requires user interaction from a logged-in administrator who navigates to the Queue Manager view.
Root Cause
The Queue Manager treats Postfix queue fields as trusted strings and inserts them into DataTables cells without HTML encoding. The rendering pipeline allows tag interpretation rather than escaping characters such as <, >, and ". Server-controlled does not mean attacker-free, since Postfix queue entries reflect data supplied by remote SMTP clients.
Attack Vector
An unauthenticated remote attacker submits an email to the mailcow instance with crafted headers or envelope values containing HTML and JavaScript payloads. The message is accepted into the Postfix queue, where it remains visible to operators. When an administrator opens the Queue Manager, the payload renders and executes in the browser session. The attacker can then steal session cookies, issue authenticated API calls, alter mailbox configuration, or pivot to other administrative functions. See the Fluid Attacks Security Advisory for technical details.
Detection Methods for CVE-2026-7460
Indicators of Compromise
- Mail queue entries containing HTML tags, <script> fragments, or on* event handler attributes in envelope or error fields
- Unexpected outbound HTTP requests originating from administrator browser sessions shortly after Queue Manager access
- Unauthorized changes to mailcow configuration, mailboxes, or API keys following administrator review of the queue
Detection Strategies
- Inspect responses from /api/v1/get/mailq/all for fields containing HTML control characters and script-like payloads
- Review web server access logs for administrator sessions making unexpected POST requests to mailcow API endpoints immediately after loading the Queue Manager
- Correlate inbound SMTP traffic carrying suspicious header content with subsequent administrative actions
Monitoring Recommendations
- Alert on Postfix queue entries whose metadata fields contain <, >, or JavaScript URI schemes
- Monitor administrator account activity for anomalous API calls following queue inspection
- Capture and retain mail queue contents to support forensic review when XSS payloads are suspected
How to Mitigate CVE-2026-7460
Immediate Actions Required
- Restrict access to the mailcow administrator interface to trusted networks or VPN until a patched release is deployed
- Avoid opening the Queue Manager view on vulnerable 2026-03b instances; use command-line Postfix tools such as mailq and postsuper instead
- Rotate administrator credentials and API keys if Queue Manager has been accessed since exposure to untrusted senders
Patch Information
No fixed version is identified in the published advisory at the time of writing. Monitor the GitHub Repository for Mailcow for security releases addressing CVE-2026-7460, and apply the next mailcow-dockerized update that references this advisory.
Workarounds
- Place the mailcow web UI behind an authenticating reverse proxy that enforces network-level access controls
- Apply a strict Content-Security-Policy header at the reverse proxy that disallows inline script execution in the administrator origin
- Use Postfix CLI utilities to inspect and manage the queue until the Queue Manager view is patched
# Example: inspect and clear suspicious queue entries from the CLI
docker exec -it mailcowdockerized-postfix-mailcow-1 mailq
docker exec -it mailcowdockerized-postfix-mailcow-1 postsuper -d <QUEUE_ID>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
