CVE-2026-40874
CWE-284Published: April 21, 2026· Updated: Apr 22, 2026
Official Description
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Technical Analysis
CVE-2026-40874 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-284)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40874 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts