CVE-2026-7460 · mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager.

01 · The Real Story

This is a booby-trapped parcel that only detonates when an admin opens the mailroom backlog

CVE-2026-7460 is a stored XSS in mailcow-dockerized's administrator Queue Manager. In affected release 2026-03b, queue metadata returned from /api/v1/get/mailq/all is copied into DataTables rows and some fields are rendered as HTML without output encoding; the Fluid Attacks write-up calls out sender, queue_name, queue_id, and queue_id-derived fragments as sinks. Practically, an attacker who can get a crafted message stuck in the Postfix queue can plant markup in queue metadata and wait for an administrator to browse /admin/queue.

This is not a fire-drill internet RCE, and treating it like one would waste patching capital. The impact is serious if it lands — privileged browser execution in an admin session can mean same-origin actions, config changes, mailbox tampering, or account takeover — but the chain has real friction: one known affected release, queue persistence is required, and an authenticated admin must visit a specific operational page that many teams open only during troubleshooting.

"= ASSESSED AT MEDIUM: real impact is admin takeover, but the exploit chain is narrow and workflow-dependent"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Plant a payload in queued mail metadata

An attacker uses an SMTP client such as swaks or smtp-cli to submit mail with attacker-controlled envelope values, then forces the message to remain in the Postfix queue long enough to be visible in Queue Manager. Fluid Attacks identifies the sender field as the practical sink because Postfix queue IDs are usually constrained, but sender metadata is flexible enough for markup injection.

Conditions required:

Target runs mailcow-dockerized 2026-03b
Attacker can reach SMTP or otherwise cause a crafted message to remain queued
Injected content survives into Postfix queue metadata

Where this breaks in practice:

This is not a one-packet exploit; the message has to stay queued rather than being delivered or dropped immediately
Some environments have outbound relays, validation, or queue churn that shorten dwell time
The attacker still needs a workable HTML/JS payload in a field that actually surfaces in the UI

Detection/coverage: Network scanners generally miss this because the precondition is queued-message manipulation, not a version banner. SMTP logs and queue records can show suspicious MAIL FROM values, but commodity vuln coverage is weak.

STEP 02

Wait for Queue Manager to render the row

When an administrator opens /admin/queue, the frontend fetches queue entries from /api/v1/get/mailq/all and DataTables writes certain values into the DOM with HTML interpretation. That turns inert queue metadata into active script in the admin's browser.

Conditions required:

An administrator has authenticated access to the mailcow UI
The administrator opens the specific Queue Manager page /admin/queue
The malicious queue entry is still present at render time

Where this breaks in practice:

Queue Manager is a niche troubleshooting page, not the default admin landing page
If the queue clears before the admin looks, the exploit dies quietly
No admin page view means no exploit

Detection/coverage: DAST can catch this if it can seed queued content and drive an authenticated admin session, but most enterprise scanners will not model that workflow.

STEP 03

Execute in the admin origin

The payload runs in the browser origin of the mailcow admin UI, which is enough for DOM access, authenticated API calls, CSRF token use, and same-origin actions. The attacker does not need code execution on the host; browser-side execution in an active admin session is the control point.

Conditions required:

Browser allows the injected script to run
Admin session is active and authorized
No effective CSP or client-side hardening blocks the payload

Where this breaks in practice:

HttpOnly can limit raw cookie theft, though it does not stop same-origin actions
A well-tuned CSP could reduce payload freedom if deployed correctly
Some payload goals require page-specific tokens or DOM discovery

Detection/coverage: Browser telemetry and proxy logs may show unusual requests from an otherwise legitimate admin session, but many EDR stacks have poor visibility into same-origin web abuse.

STEP 04

Abuse admin privileges for control

With script running as the admin, the attacker can issue privileged UI/API actions: alter mail routing, create mailboxes, tamper with quarantine/relay settings, or harvest sensitive data exposed to the session. The real blast radius is the single mailcow instance and its managed mail identities, not arbitrary lateral movement across the estate.

Conditions required:

Admin account has broad mailcow privileges
Relevant admin APIs are reachable from the session
The attacker has scripted post-exploitation actions

Where this breaks in practice:

Impact is bounded to what the mailcow admin role can touch
This does not inherently bypass segmentation outside the mail platform
Some high-value actions may still leave obvious audit traces

Detection/coverage: Look for abnormal admin actions from a normal admin IP/browser shortly after queue inspection. Mailcow audit/UI logs are more useful here than perimeter scanners.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation found in the sources reviewed. `CISA KEV`: not listed.
Proof-of-concept availability	Fluid Attacks published exploit evidence including video/static proof, but I did not find a broadly reused public GitHub weaponized repo for this CVE.
EPSS	`0.00052` (0.052%), which is very low and fits the workflow-heavy exploit chain.
KEV status	No — not present in the CISA Known Exploited Vulnerabilities catalog as reviewed.
CVSS / baseline reality	Per your intel, there is no vendor/authority baseline to compare against, so this is `= ASSESSED AT MEDIUM`. Third-party databases later mirrored a `CVSS v4 7.4` style rating, but that is not a mailcow-issued severity baseline.
Affected versions	Authoritative advisory evidence points to mailcow-dockerized `2026-03b` as the affected release.
Fixed version	mailcow's official `2026-05` release notes state the web frontend fix was "escape HTML in sieve filter edit view and queue manager"; treat `2026-05` and later as the patched train.
Exposure population	mailcow is designed around an internet-facing web UI plus mail services, so reachable population is not tiny. That said, I found no authoritative Shodan/Censys/GreyNoise dataset for `/admin/queue` specifically, which matters because the vulnerable step is the admin troubleshooting page, not generic web exposure.
Disclosure date	Publicly disclosed on 2026-05-20.
Reporter / source	Disclosed by Oscar Naveda / Fluid Attacks; advisory names the issue as stored XSS in Queue Manager via unescaped Postfix queue fields.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (5.8/10)

The decisive downward pressure is that exploitation depends on an administrator visiting a specific page (/admin/queue) while a crafted message is still stuck in queue, which is far narrower than an always-on admin-panel XSS. The impact is real once triggered, but this is a workflow-driven admin hijack on one affected release, not broad unauthenticated compromise at internet scale.

HIGH Affected release and technical root cause

MEDIUM Patched train beginning at `2026-05`

MEDIUM Real-world exploitability in enterprise deployments

Why this verdict

Requires a prior queueing condition: the attacker must get a crafted message to persist in Postfix queue metadata long enough to be rendered, which is a real operational hurdle and pushes the score down from what stored XSS looks like on paper
Requires authenticated admin page view: the exploit does nothing unless an administrator opens /admin/queue; that is a niche troubleshooting workflow, not normal user traffic, so reachable population is materially smaller
Narrow version scope: the available authoritative write-ups point to a single affected release, 2026-03b, and the vendor's 2026-05 release already shipped the queue-manager HTML escaping fix

Why not higher?

Because this is not a broadly triggerable web bug. It is chained: queue persistence, specific metadata path, authenticated admin context, and a particular page view. Those compounding prerequisites mean the vendor-style technical impact overstates real fleet risk.

Why not lower?

Because if the chain lands, the attacker gets script execution in a privileged admin origin, which is enough for same-origin API abuse and effective control of the mail platform. For organizations where mail admins routinely inspect queues during incidents, the exploitability is low-frequency but not theoretical.

05 · Compensating Control

What to do — in priority order.

Restrict admin UI reachability — Put the mailcow admin UI behind VPN, IP allowlists, or an identity-aware proxy so the admin session is not casually reachable from the open internet. For a MEDIUM verdict there is no mitigation SLA, so fold this into normal hardening while still targeting the actual patch within the 365-day remediation window.
Monitor and age out suspicious queue entries — Alert on queued messages with malformed or HTML-like envelope sender values and reduce queue dwell time where operationally safe. That directly attacks the exploit precondition — a malicious message surviving until an admin opens Queue Manager — and can be implemented during routine mail hygiene work.
Review browser-side controls — Deploy or tighten CSP and related response headers on the admin UI if your mailcow customization path allows it. This is not a guaranteed fix, but it can blunt payload freedom and make admin-session abuse noisier while you move to a patched build.
Instrument admin actions — Log and review high-impact admin operations — mailbox creation, relay changes, routing changes, quarantine actions — especially when they occur immediately after queue inspection. There is no mitigation SLA for MEDIUM, but this is worth enabling now because successful exploitation will often masquerade as a legitimate admin session.

What doesn't work

MFA on the admin login does not stop post-authentication same-origin script running inside an already authenticated browser session
Perimeter vulnerability scanning is weak here because the exploit requires authenticated UI flow plus seeded queue content, not just banner grabbing
HttpOnly cookies alone do not solve the problem; even without cookie theft, injected JavaScript can still drive privileged same-origin actions

06 · Verification

Crowdsourced verification payload.

Run this on the mailcow host inside the local clone directory, typically cd /opt/mailcow-dockerized && sudo bash ./check-cve-2026-7460.sh. It needs read access to the mailcow Git working tree; root is simplest but not strictly required if the repo is readable.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-7460.sh
# Detect likely exposure to CVE-2026-7460 in mailcow-dockerized.
# Logic:
#   - Vulnerable known release: 2026-03b
#   - Patched train begins at: 2026-05
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_DIR="${1:-.}"
AFFECTED="2026-03b"
PATCHED_MIN="2026-05"

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

if [ ! -d "$TARGET_DIR/.git" ]; then
  fail_unknown "No .git directory found in '$TARGET_DIR'. Run this from the mailcow-dockerized checkout or pass its path as arg 1."
fi

cd "$TARGET_DIR" || fail_unknown "Cannot enter '$TARGET_DIR'."

# Try the exact tag first, then any tag pointing at HEAD.
TAG="$(git describe --tags --exact-match 2>/dev/null || true)"
if [ -z "$TAG" ]; then
  TAG="$(git tag --points-at HEAD | head -n1)"
fi

if [ -z "$TAG" ]; then
  fail_unknown "Could not determine the installed mailcow tag from Git metadata."
fi

normalize_tag() {
  # Converts tags like 2026-05, 2026-05a, 2026-03b into sortable keys YYYYMMsuf
  # suffix: none=0, a=1, b=2, c=3 ... z=26
  local t="$1"
  if [[ ! "$t" =~ ^([0-9]{4})-([0-9]{2})([a-z]?)$ ]]; then
    return 1
  fi
  local year="${BASH_REMATCH[1]}"
  local mon="${BASH_REMATCH[2]}"
  local suf="${BASH_REMATCH[3]}"
  local ord=0
  if [ -n "$suf" ]; then
    ord=$(( $(printf '%d' "'${suf}") - 96 ))
  fi
  printf '%04d%02d%02d' "$year" "$mon" "$ord"
  return 0
}

TAG_N="$(normalize_tag "$TAG" 2>/dev/null || true)"
PATCHED_N="$(normalize_tag "$PATCHED_MIN" 2>/dev/null || true)"

if [ "$TAG" = "$AFFECTED" ]; then
  echo "VULNERABLE: installed tag is $TAG (known affected release for CVE-2026-7460)."
  exit 1
fi

if [ -n "$TAG_N" ] && [ -n "$PATCHED_N" ]; then
  if [ "$TAG_N" -ge "$PATCHED_N" ]; then
    echo "PATCHED: installed tag is $TAG (patched train starts at $PATCHED_MIN)."
    exit 0
  fi
fi

# Older or unrecognized tags are not asserted vulnerable because the advisory only names 2026-03b.
echo "UNKNOWN: installed tag is $TAG; advisory evidence reviewed names $AFFECTED as affected and $PATCHED_MIN+ as patched."
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify any mailcow hosts on 2026-03b, confirm whether admins actually use Queue Manager, and move those systems to the fixed 2026-05 or later train during normal remediation planning. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; if you want extra risk reduction before patching, tighten admin UI exposure and watch for suspicious queued senders, but the formal deadline from the noisgate remediation SLA is ≤ 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.