Mailcow: Dockerized Second-Order SQL Injection Vulnerability in Quarantine Category via API

A second-order SQL injection vulnerability has been identified in mailcow: dockerized versions prior to 2026-03b. The issue arises in the quarantine_category field through the Mailcow API. The /api/v1/add/mailbox endpoint accepts quarantine_category values without proper validation or sanitization. This unsanitized data is later utilized by quarantine_notify.py, which builds SQL queries using unsafe string formatting, creating an opportunity for SQL injection when the notification job runs. Exploitation allows attackers to inject arbitrary SQL, exfiltrate sensitive data such as admin credentials, and include this information in quarantine notification emails.

Impact

Successful exploitation allows an attacker to inject SQL payloads that are executed when the quarantine notification job runs, potentially leading to unauthorized data access or manipulation. In this case, admin credentials could be extracted and sent via email.

Reproduction

To reproduce this vulnerability, create a mailbox through the Mailcow API and include a malicious SQL payload in the quarantine_category field. Once the payload is stored in the database, trigger a quarantine event for the mailbox. The quarantine_notify.py script will process the event, using the stored value to construct a SQL query that executes the injected payload. This exploitation will result in the exfiltration of sensitive data, such as admin credentials, which will be included in the quarantine notification email.

Remediation

Users can update to Mailcow: Dockerized version 2026-03b or later to address this vulnerability.