CVE-2026-40872
Stored XSS in mailcow Admin Dashboard Autodiscover Logs
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailcow | mailcow_dockerized | to 2026-03b (exc) |
| mailcow | dockerized | to 2026-03b (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40872 is a critical stored Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized package, affecting versions prior to 2026-03b. The vulnerability occurs because the admin dashboard's Autodiscover logs render the EMailAddress field without proper HTML escaping.
An attacker can send an unauthenticated Autodiscover request containing a crafted EMailAddress with malicious HTML or JavaScript. This payload is stored in Redis and executed when an administrator views the Autodiscover logs, causing the malicious script to run in the admin's browser.
This happens because while other fields like user agent and service name are properly escaped, the EMailAddress field is not, allowing injection of arbitrary HTML/JS code.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the administratorβs browser when they view the Autodiscover logs.
Exploitation can lead to full compromise of the administratorβs session, including the ability to read mailboxes, reset passwords, and potentially take over other services.
The attack requires no authentication and no user interaction other than the administrator viewing the logs, making it highly dangerous.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated POST requests to the endpoint /Autodiscover/Autodiscover.xml containing crafted XML payloads with malicious HTML or JavaScript in the <EMailAddress> field.
A practical detection method is to inspect incoming HTTP requests to the Autodiscover endpoint for suspicious payloads that include HTML tags or JavaScript event handlers within the EMailAddress field.
For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to /Autodiscover/Autodiscover.xml and analyze the payloads.
- Using tcpdump to capture relevant traffic: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'POST /Autodiscover/Autodiscover.xml'
- Using curl or similar tools to test if your system is vulnerable by sending a crafted XML payload with HTML/JS in the EMailAddress field.
Additionally, reviewing the Autodiscover logs in the admin dashboard for entries where the user field contains unescaped HTML or JavaScript code can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where this vulnerability has been fixed.
Until the upgrade can be applied, restrict access to the admin dashboard to trusted users only, minimizing the risk of an administrator viewing malicious Autodiscover logs.
Consider monitoring and filtering incoming requests to the /Autodiscover/Autodiscover.xml endpoint to block suspicious payloads containing HTML or JavaScript.
Avoid viewing the Autodiscover logs in the admin dashboard until the patch is applied to prevent execution of stored malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript in the administrator's browser, potentially leading to full compromise of the administratorβs session, including mailbox reading and password resets.
Such a compromise could lead to unauthorized access to sensitive personal data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to failure to adequately protect confidentiality and integrity of sensitive data.