Vulnerability in Mailcow Mailcow-dockerized

CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can…

EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.

Affected products

Mailcow Mailcow-dockerized — versions < 2026-03b

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jjxh-rm7p-hjc3 (x_refsource_CONFIRM)