Compliance Impact

The vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the administrator's browser, potentially leading to full compromise of the administrator’s session, including mailbox reading and password resets.

Such a compromise could lead to unauthorized access to sensitive personal data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to failure to adequately protect confidentiality and integrity of sensitive data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40872 is a critical stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package, affecting versions prior to 2026-03b. The vulnerability occurs because the admin dashboard's Autodiscover logs render the EMailAddress field without proper HTML escaping.

An attacker can send an unauthenticated Autodiscover request containing a crafted EMailAddress with malicious HTML or JavaScript. This payload is stored in Redis and executed when an administrator views the Autodiscover logs, causing the malicious script to run in the admin's browser.

This happens because while other fields like user agent and service name are properly escaped, the EMailAddress field is not, allowing injection of arbitrary HTML/JS code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the administrator’s browser when they view the Autodiscover logs.

Exploitation can lead to full compromise of the administrator’s session, including the ability to read mailboxes, reset passwords, and potentially take over other services.

The attack requires no authentication and no user interaction other than the administrator viewing the logs, making it highly dangerous.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated POST requests to the endpoint /Autodiscover/Autodiscover.xml containing crafted XML payloads with malicious HTML or JavaScript in the <EMailAddress> field.

A practical detection method is to inspect incoming HTTP requests to the Autodiscover endpoint for suspicious payloads that include HTML tags or JavaScript event handlers within the EMailAddress field.

For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to /Autodiscover/Autodiscover.xml and analyze the payloads.

• Using tcpdump to capture relevant traffic: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'POST /Autodiscover/Autodiscover.xml'
• Using curl or similar tools to test if your system is vulnerable by sending a crafted XML payload with HTML/JS in the EMailAddress field.

Additionally, reviewing the Autodiscover logs in the admin dashboard for entries where the user field contains unescaped HTML or JavaScript code can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the admin dashboard to trusted users only, minimizing the risk of an administrator viewing malicious Autodiscover logs.

Consider monitoring and filtering incoming requests to the /Autodiscover/Autodiscover.xml endpoint to block suspicious payloads containing HTML or JavaScript.

Avoid viewing the Autodiscover logs in the admin dashboard until the patch is applied to prevent execution of stored malicious scripts.

Useful 0 Not Useful 0