What is CVE-2026-40020?

CVE-2026-40020 is a low-severity vulnerability in Dovecot, classified under Improper Access Control. CVSS score: 3.1/10. Published 2026-05-12.

How severe is CVE-2026-40020?

Low severity. CVSS v3 base score is 3.1 out of 10.

Vulnerability in Dovecot

CVE-2026-40020

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to ot…

EPSS: 0.000 (2.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.1 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

Dovecot
Open-xchange Dovecot
Open-xchange Gmbh Ox Dovecot Pro — versions 0

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

security@open-xchange.com (vendor-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2026-40020?: CVE-2026-40020 is a low-severity vulnerability in Dovecot, classified under Improper Access Control. CVSS score: 3.1/10. Published 2026-05-12.
How severe is CVE-2026-40020?: Low severity. CVSS v3 base score is 3.1 out of 10.