Summary
Mailcow patched three XSS vulnerabilities, including a critical flaw in Autodiscover logs, that allow unauthenticated attackers to take over administrator accounts and exfiltrate sensitive emails. The flaws were fixed in version 2026-03b after researchers demonstrated how to chain them with Login CSRF to steal user data.
Take Action:
If you run a self-hosted Mailcow email server, update it to version 2026-03b ASAP. These vulnerabilities could let an attacker silently take over your admin account just by sending a crafted email. After updating, also check that your server is configured to only accept the X-Real-IP header from trusted internal proxies, not from the open internet.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)