Mailcow Critical Alert: Unauthenticated XSS Threatens Admin Takeover

The popular open-source groupware suite mailcow: dockerized is facing a high-stakes security challenge. A critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the platform’s administrative dashboard, potentially allowing unauthenticated attackers to hijack administrator sessions and compromise entire mail systems.

The flaw, tracked as CVE-2026-40872 with a severe CVSS score of 9.3, targets the very logs meant to help administrators monitor their servers.

The vulnerability lies within the Autodiscover service, a component used by email clients to automatically configure server settings.

When an Autodiscover request is made, mailcow logs the provided email address to the admin dashboard. However, the dashboard’s rendering engine fails to perform proper HTML escaping on the email address field. This allows a “crafted EMailAddress containing HTML/JS” to be stored in the system’s Redis database.

The attack sequence is alarmingly simple:

1. Unauthenticated Injection: An attacker sends a basic, unauthenticated POST request to the /Autodiscover/Autodiscover.xml endpoint.
2. Malicious Payload: The request includes a script instead of a standard email address, such as <img src=x onerror=alert(origin)>.
3. Silent Execution: The payload sits quietly in the logs until an administrator visits the Autodiscover logs section of the dashboard. The moment the log is viewed, the malicious script executes in the admin’s browser.

While a simple alert box is used in demonstrations, the real-world impact is devastating. Because the script runs within the administrator’s authenticated session, an attacker can “do anything the administrator can”.

Potential consequences include:

• Mailbox Access: Attackers can read private messages across any mailbox on the server.
• Lateral Movement: By accessing emails, attackers can trigger password resets for other external services linked to those mailboxes, leading to a broader infrastructure takeover.
• Session Hijacking: The attacker can steal administrative session cookies to maintain persistent access to the mailcow instance.

The mailcow team has released a patch to address this vulnerability by ensuring the “user” (email) field is correctly HTML-escaped before rendering.

Immediate Recommendations:

• Update Immediately: Administrators should upgrade their mailcow installations to version 2026-03b or higher as soon as possible to mitigate the risk of unauthenticated log spraying.
• Audit Logs: Review Autodiscover logs for any unusual entries or script-like patterns that may have been injected prior to patching.
• Rotate Credentials: If you suspect an administrator viewed suspicious logs, consider rotating admin passwords and ending all active sessions as a precaution.