Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <835140174.3112.1778593289745@appsuite-pro-sync-core-mw-groupware-1.appsuite-pro-sync-core-mw-hazelcast-headless.appsuite-dev.svc.cluster.local>
Date: Tue, 12 May 2026 16:41:29 +0300 (EEST)
From: Aki Tuomi <aki.tuomi@...ecot.fi>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Dovecot Security Advisory OXDC-2026-0002

Hi!

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. This advisory is also published at https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0002.html

---

Classification: TLP:GREEN

Internal reference: DOV-8967
Type: CWE-235 (Improper Handling of Extra Parameters)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 3.1.4, OX Dovecot CE core 2.4.3
First fixed revision: OX Dovecot Pro core 3.1.5, OX Dovecot CE core 2.4.4
Discovery date: 2026-03-29
Solution date: 2026-05-05
Disclosure date: 2026-05-05
Researcher credits: caprinuxx@...wehack
CVE: CVE-2026-27851
CVSS: 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Details:
lib-var-expand: Safe filter leaks to all following pipelines. When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped.

Risk:
This can enable SQL / LDAP injection attacks when used in authentication. No publicly available exploits are known.

Solution:
Avoid using safe filter until on fixed version.



---



Internal reference: DOV-8948
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 2.3.0
First fixed revision: OX Dovecot Pro core 3.1.5, OX Dovecot CE core 2.4.4
Discovery date: 2026-03-24
Solution date: 2026-05-05
Disclosure date: 2026-05-05
Researcher credits: djvirus@...wehack
CVE: CVE-2026-40016
CVSS: 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Details:
Sieve :contains/:matches O(N×M) Substring Match Bypasses sieve_max_cpu_time Limit (130× Overrun). Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit.

Risk:
Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. No publicly available exploits are known.

Solution:
Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access.



---



Internal reference: DOV-9030
Type: CWE-99 (Improper Control of Resource Identifiers ('Resource Injection'))
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 3.1.0, OX Dovecot CE core 2.4.0
First fixed revision: OX Dovecot Pro core 3.1.5, OX Dovecot CE core 2.4.4
Discovery date: 2026-04-08
Solution date: 2026-05-05
Disclosure date: 2026-05-05
Researcher credits: ylwango613@...wehack
CVE: CVE-2026-33603
CVSS: 6.8 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Details:
login: Base64 input can contain tabs that bypass IPC protection. Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection.

Risk:
If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. No publicly available exploits are known.

Solution:
Install fixed version.



---



Internal reference: DOV-9040
Type: CWE-284 (Improper Access Control)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 2.3.0
First fixed revision: OX Dovecot Pro core 3.1.5, OX Dovecot CE core 2.4.4
Discovery date: 2026-04-08
Solution date: 2026-05-05
Disclosure date: 2026-05-05
Researcher credits: ilhamaf@...wehack
CVE: CVE-2026-40020
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
IMAP folders can be shared-spammed to everyone. Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users.

Risk:
The impact is limited to being able to spam folders to other users, no unexpected access is gained. No publicly available exploits are known.

Solution:
Install to fixed version.



---



Internal reference: DOV-9138
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 3.0.5, OX Dovecot Pro core 3.1.4, OX Dovecot CE core 2.4.3
First fixed revision: OX Dovecot Pro core 3.1.5, OX Dovecot CE core 2.4.4
Discovery date: 2026-04-27
Solution date: 2026-05-05
Disclosure date: 2026-05-05
Researcher credits: D4RKCYPH3R@...wehack
CVE: CVE-2026-42006
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:
imap-login: Excessive memory usage DoS - Try 2. An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit.

Risk:
Using excessive bracing, attacker can cause memory usage up to configured memory limit. No publicly available exploits are known.

Solution:
Install fixed version, or configure vsz_limit for imap process to low value.

Download attachment "signature.asc" of type "application/pgp-signature" (216 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.