mailcow: dockerized Missing Authorization Vulnerability in Forwarding Hosts Deletion API

A vulnerability exists in mailcow: dockerized versions prior to 2026-03b, where the deletion of Forwarding Hosts via the '/api/v1/delete/fwdhost' API lacks proper administrator verification. This oversight allows any authenticated user to delete Forwarding Hosts, potentially disrupting email services that rely on this functionality. While the vulnerability has been addressed in version 2026-03b, users running earlier versions are at risk.

Impact

Exploitation of this vulnerability allows authenticated users to delete Forwarding Hosts, disrupting email services that depend on them.

Reproduction

To reproduce this vulnerability, log into a mailcow: dockerized instance with a low-privilege user account. Use an admin account to add a Forwarding Host. Then, as the low-privilege user, send a POST request to the '/api/v1/delete/fwdhost' endpoint with the IP address of the Forwarding Host to be deleted. The response will confirm the deletion, which can be verified by checking the Forwarding Hosts page.

Remediation

Users should update to mailcow: dockerized version 2026-03b or later.