Open-xchange Dovecot
16 CVEs affecting Open-xchange Dovecot. Latest disclosed: 2026-05-12. Critical: 0, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-24031 | High | 7.7 | 2026-03-27 | Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user… |
CVE-2026-27858 | High | 7.5 | 2026-03-27 | Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force manages… |
CVE-2025-59032 | High | 7.5 | 2026-03-27 | ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unava… |
CVE-2026-27851 | High | 7.4 | 2026-05-12 | When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to b… |
CVE-2026-27856 | High | 7.4 | 2026-03-27 | Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured cre… |
CVE-2026-33603 | Medium | 6.8 | 2026-05-12 | Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to p… |
CVE-2026-27855 | Medium | 6.8 | 2026-03-27 | Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP cred… |
CVE-2026-40016 | Medium | 5.3 | 2026-05-12 | Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the config… |
CVE-2026-27859 | Medium | 5.3 | 2026-03-27 | A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery… |
CVE-2026-0394 | Medium | 5.3 | 2026-03-27 | When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characte… |
CVE-2025-59028 | Medium | 5.3 | 2026-03-27 | When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 d… |
CVE-2026-42006 | Medium | 4.3 | 2026-05-12 | An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this… |
CVE-2026-27857 | Medium | 4.3 | 2026-03-27 | Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This… |
CVE-2025-59031 | Medium | 4.3 | 2026-03-27 | Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted… |
CVE-2026-27860 | Low | 3.7 | 2026-03-27 | If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restricti… |
CVE-2026-40020 | Low | 3.1 | 2026-05-12 | Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be… |