Can you explain this vulnerability to me?

CVE-2026-40874 is a vulnerability in mailcow-dockerized versions prior to 2026-03b where the deletion of Forwarding Hosts via the API endpoint `/api/v1/delete/fwdhost` lacks proper administrator verification.

While adding and editing Forwarding Hosts require the user to have an admin role, deleting a Forwarding Host does not check the user's privileges, allowing any authenticated user to delete these hosts.

This flaw exists because the delete action processes requests without verifying if the user is an administrator, enabling low-privilege authenticated users to remove critical mail forwarding configurations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can significantly disrupt mail services that rely on Forwarding Hosts by allowing any authenticated user to delete these hosts.

Since Forwarding Hosts are critical for mail forwarding, their unauthorized deletion can cause mail delivery failures or interruptions.

The attack requires low privileges and no user interaction, making it easier for attackers with authenticated access to cause high availability impact on the mail service.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if unauthorized users are able to delete Forwarding Hosts via the API endpoint `/api/v1/delete/fwdhost` without administrator verification.

A proof of concept involves logging in as a low-privilege authenticated user and issuing a POST request to `/api/v1/delete/fwdhost` with the target IP address in the request body. If the API responds with success and the Forwarding Host is deleted, the system is vulnerable.

Suggested command using curl to test the vulnerability (replace <IP_ADDRESS> and <SESSION_COOKIE> accordingly):

• curl -X POST https://<mailcow-server>/api/v1/delete/fwdhost -H "Cookie: <SESSION_COOKIE>" -d '{"ip":"<IP_ADDRESS>"}' -H "Content-Type: application/json"

If the response indicates success and the Forwarding Host is removed without admin privileges, the vulnerability exists.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where proper authorization checks on the delete Forwarding Host API endpoint have been implemented.

Until the upgrade can be applied, restrict access to the API endpoint `/api/v1/delete/fwdhost` to trusted administrators only, for example by network segmentation or firewall rules.

Additionally, monitor API usage logs for suspicious delete requests from low-privilege users and review Forwarding Host configurations regularly to detect unauthorized deletions.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows any authenticated user to delete Forwarding Hosts without administrator verification, leading to significant disruption of mail services. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data.

Since the vulnerability does not affect confidentiality or integrity but mainly availability, its direct impact on compliance with standards like GDPR or HIPAA—which emphasize protection of personal data confidentiality and integrity—is limited. Nonetheless, disruption of mail services could indirectly affect compliance if it impedes timely communication or incident response.

Useful 0 Not Useful 0