Skip to main content

Dovecot CVE-2025-30189

HIGH
Improper Preservation of Consistency Between Independent Representations of Shared State (CWE-1250)
2025-10-31 security@open-xchange.com
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 05, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 27, 2026 - 09:22 vuln.today
CVE Published
Oct 31, 2025 - 09:15 nvd
HIGH 7.4

DescriptionCVE.org

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.

AnalysisAI

Authentication cache collision in Dovecot mail server allows remote attackers to gain unauthorized access to other users' accounts under specific caching configurations. When passdb/userdb caching is enabled, certain drivers incorrectly use identical cache keys for multiple distinct users, causing authentication data from one user to be applied to subsequent login attempts by different users. This vulnerability enables attackers to authenticate as other users after the legitimate user's credentials are cached, with no public exploit identified at time of analysis. Despite low EPSS probability (0.03%), the network-accessible attack vector and potential for unauthorized email access warrants immediate remediation in environments using affected caching configurations.

Technical ContextAI

Dovecot is a widely-deployed open-source IMAP and POP3 email server. This vulnerability affects the passdb (password database) and userdb (user database) authentication subsystems when caching is enabled to improve performance. The root cause is CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State), where cache key generation fails to properly differentiate between users. The affected drivers generate non-unique cache keys, causing hash collisions in the authentication cache. When User A authenticates successfully, their credentials and privileges are stored under a cache key. When User B subsequently attempts authentication, the same cache key is generated, causing Dovecot to retrieve and apply User A's cached authentication state. This creates a classic authentication bypass through state confusion, where the cache becomes a shared state that loses consistency between distinct user identities. The issue is specific to certain passdb/userdb driver implementations when cache_key configuration parameters are not sufficiently unique.

Affected ProductsAI

The vulnerability affects Dovecot mail server installations with passdb or userdb caching enabled for specific driver configurations. Based on the security advisory reference from Open-Xchange (oxdc-adv-2026-0001.json), this impacts Dovecot deployments where cache_key parameters in authentication driver configurations produce non-unique values across different users. The exact version range is not specified in available data, though the advisory timeline (2026 reference suggests 2025 disclosure) indicates recent versions. Organizations running Dovecot with auth_cache_size greater than zero and using affected passdb or userdb drivers (specific drivers not enumerated in provided data) are vulnerable. Detailed version information and complete affected driver list should be confirmed from the Open-Xchange security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json and the oss-security mailing list disclosure.

RemediationAI

Primary remediation is upgrading to a fixed Dovecot version as specified in the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json, though the exact patched version number is not provided in available intelligence data. As an immediate workaround until patching is possible, disable authentication caching either globally by setting auth_cache_size to zero in dovecot.conf, or disable caching selectively for affected passdb and userdb drivers by removing or commenting out cache_key parameters in their driver configurations. Review passdb and userdb configurations to ensure cache_key values incorporate sufficient unique identifiers per user if caching must remain enabled. Monitor authentication logs for anomalous patterns where users appear to gain access to accounts other than their own. After applying fixes, flush existing authentication caches and force all users to re-authenticate. Consult the full disclosure on the oss-security mailing list (http://www.openwall.com/lists/oss-security/2025/10/29/4) and Full Disclosure list for additional technical details and configuration guidance.

CVE-2019-11500 CRITICAL POC
9.8 Aug 29

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for qu

CVE-2020-12674 HIGH POC
7.5 Aug 12

In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of ze

CVE-2020-12673 HIGH POC
7.5 Aug 12

In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-

CVE-2020-12100 HIGH POC
7.5 Aug 12

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denia

CVE-2020-10957 HIGH POC
7.5 May 18

In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dere

CVE-2019-3814 MEDIUM POC
6.8 Mar 27

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. Rated mediu

CVE-2020-10967 MEDIUM POC
5.3 May 18

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail wi

CVE-2020-10958 MEDIUM POC
5.3 May 18

In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-log

CVE-2020-7957 MEDIUM POC
5.3 Feb 12

The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be r

CVE-2022-30550 HIGH
8.8 Jul 17

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. Rated high severity (CVSS 8.8), this

CVE-2019-7524 HIGH
7.8 Mar 28

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker

CVE-2016-8652 MEDIUM
5.9 Feb 17

The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.1/kvm-os-container:2.2.0-3.3 Affected
SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2025-30189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy