Executive Summary

CVE-2026-40874 is a vulnerability in mailcow-dockerized versions prior to 2026-03b where the deletion of Forwarding Hosts via the API endpoint `/api/v1/delete/fwdhost` lacks proper administrator verification.

While adding and editing Forwarding Hosts require the user to have an admin role, deleting a Forwarding Host does not check the user's privileges, allowing any authenticated user to delete these hosts.

This flaw exists because the delete action processes requests without verifying if the user is an administrator, enabling low-privilege authenticated users to remove critical mail forwarding configurations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can significantly disrupt mail services that rely on Forwarding Hosts by allowing any authenticated user to delete these hosts.

Since Forwarding Hosts are critical for mail forwarding, their unauthorized deletion can cause mail delivery failures or interruptions.

The attack requires low privileges and no user interaction, making it easier for attackers with authenticated access to cause high availability impact on the mail service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if unauthorized users are able to delete Forwarding Hosts via the API endpoint `/api/v1/delete/fwdhost` without administrator verification.

A proof of concept involves logging in as a low-privilege authenticated user and issuing a POST request to `/api/v1/delete/fwdhost` with the target IP address in the request body. If the API responds with success and the Forwarding Host is deleted, the system is vulnerable.

Suggested command using curl to test the vulnerability (replace <IP_ADDRESS> and <SESSION_COOKIE> accordingly):

• curl -X POST https://<mailcow-server>/api/v1/delete/fwdhost -H "Cookie: <SESSION_COOKIE>" -d '{"ip":"<IP_ADDRESS>"}' -H "Content-Type: application/json"

If the response indicates success and the Forwarding Host is removed without admin privileges, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade mailcow-dockerized to version 2026-03b or later, where proper authorization checks on the delete Forwarding Host API endpoint have been implemented.

Until the upgrade can be applied, restrict access to the API endpoint `/api/v1/delete/fwdhost` to trusted administrators only, for example by network segmentation or firewall rules.

Additionally, monitor API usage logs for suspicious delete requests from low-privilege users and review Forwarding Host configurations regularly to detect unauthorized deletions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to delete Forwarding Hosts without administrator verification, leading to significant disruption of mail services. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data.

Since the vulnerability does not affect confidentiality or integrity but mainly availability, its direct impact on compliance with standards like GDPR or HIPAA—which emphasize protection of personal data confidentiality and integrity—is limited. Nonetheless, disruption of mail services could indirectly affect compliance if it impedes timely communication or incident response.

Useful 0 Not Useful 0