External risk intelligence

mailcow attackers can control your service by tricking admins into viewing malicious logs

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40872

A vulnerability in mailcow: dockerized allows unauthenticated attackers to run code by tricking administrators into viewing specially crafted logs, potentially taking over your email service.

5Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-40872

The vulnerability affects an email suite's Autodiscover component. This service is designed to be reachable from the internet to support automated mail client configuration. As the trigger requires sending a request to this publicly accessible service, the surface is inherently internet-facing by design in normal deployments.

PCI scan relevance

PCI Relevance for CVE-2026-40872

Yes

CVE-2026-40872 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This cross-site scripting vulnerability in mailcow: dockerized could lead to a PCI ASV scan failure due to potential code execution.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in mailcow: dockerized allows an unauthenticated attacker to execute code by submitting a specially crafted Autodiscover request. The attack exploits a failure to properly escape HTML/JavaScript in logged email addresses, which is then executed when an administrator views the logs. This could lead to a compromise of the email server.

  • Unauthenticated access to a core service.
  • Execution of arbitrary code on the server.
  • Affects email and groupware services.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending a specially crafted Autodiscover request to the mailcow instance. The crafted request, containing HTML and JavaScript in the EMailAddress field, will be stored. When an administrator later views the Autodiscover logs, the embedded script will execute within their browser, potentially allowing the attacker to take control of the administrator's session.

  • Target: Admin Autodiscover logs.
  • Vulnerable Action: Autodiscover request submission.
  • Precondition: Admin views logs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could be attractive to attackers due to its ability to execute arbitrary JavaScript in the context of an admin user, potentially leading to account takeover or further compromise of the mailcow instance. The unauthenticated nature and direct execution upon log viewing present a compelling attack vector.

  • Public exploit code exists.
  • Exploitation observed in the wild.
  • Recency signal is strong.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected mailcow installations immediately, as unauthenticated users can execute arbitrary JavaScript in an admin's browser by manipulating Autodiscover logs. If patching is delayed, restrict network access to the Autodiscover endpoint and monitor logs for suspicious requests targeting the user field.

  • Apply version 2026-03b or later.
  • Block Autodiscover network access.
  • Log and alert on Autodiscover requests.

Frequently asked questions

What is mailcow: dockerized and what is it used for?

Mailcow: dockerized is an open-source email and groupware suite that runs on Docker. It provides a comprehensive set of tools for managing email services, including mail servers, antispam, antivirus, and webmail clients, enabling users to host their own email infrastructure.

What kind of vulnerability is CVE-2026-40872?

CVE-2026-40872 is a cross-site scripting (XSS) vulnerability. Specifically, it involves improper HTML escaping in the Autodiscover logs, allowing an attacker to inject and execute malicious scripts.

How can an attacker exploit this vulnerability?

An attacker can exploit this by sending an unauthenticated Autodiscover request with a specially crafted email address containing HTML or JavaScript. This payload is stored and executed when an administrator views the Autodiscover logs. Access to the Autodiscover functionality itself is not a precondition for exploitation.

Who should be concerned about CVE-2026-40872?

Organizations using mailcow: dockerized should be concerned, especially if their Autodiscover service is exposed to the internet. This is because the vulnerability allows for potential code execution through the Autodiscover component, which is typically internet-facing to facilitate client configuration.

What is the first step to respond to this threat?

The immediate first step is to update mailcow: dockerized to version 2026-03b or later, as this version addresses the vulnerability. If an immediate update is not possible, consider restricting network access to the Autodiscover endpoint and monitoring logs for suspicious requests.}

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified