CVE-2025-30189

HIGH
2025-10-31 [email protected]
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 05, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 27, 2026 - 09:22 vuln.today
CVE Published
Oct 31, 2025 - 09:15 nvd
HIGH 7.4

Tags

Dovecot Authentication Bypass Information Disclosure Suse

Description

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.

Analysis

Authentication cache collision in Dovecot mail server allows remote attackers to gain unauthorized access to other users' accounts under specific caching configurations. When passdb/userdb caching is enabled, certain drivers incorrectly use identical cache keys for multiple distinct users, causing authentication data from one user to be applied to subsequent login attempts by different users. This vulnerability enables attackers to authenticate as other users after the legitimate user's credentials are cached, with no public exploit identified at time of analysis. Despite low EPSS probability (0.03%), the network-accessible attack vector and potential for unauthorized email access warrants immediate remediation in environments using affected caching configurations.

Technical Context

Dovecot is a widely-deployed open-source IMAP and POP3 email server. This vulnerability affects the passdb (password database) and userdb (user database) authentication subsystems when caching is enabled to improve performance. The root cause is CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State), where cache key generation fails to properly differentiate between users. The affected drivers generate non-unique cache keys, causing hash collisions in the authentication cache. When User A authenticates successfully, their credentials and privileges are stored under a cache key. When User B subsequently attempts authentication, the same cache key is generated, causing Dovecot to retrieve and apply User A's cached authentication state. This creates a classic authentication bypass through state confusion, where the cache becomes a shared state that loses consistency between distinct user identities. The issue is specific to certain passdb/userdb driver implementations when cache_key configuration parameters are not sufficiently unique.

Affected Products

The vulnerability affects Dovecot mail server installations with passdb or userdb caching enabled for specific driver configurations. Based on the security advisory reference from Open-Xchange (oxdc-adv-2026-0001.json), this impacts Dovecot deployments where cache_key parameters in authentication driver configurations produce non-unique values across different users. The exact version range is not specified in available data, though the advisory timeline (2026 reference suggests 2025 disclosure) indicates recent versions. Organizations running Dovecot with auth_cache_size greater than zero and using affected passdb or userdb drivers (specific drivers not enumerated in provided data) are vulnerable. Detailed version information and complete affected driver list should be confirmed from the Open-Xchange security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json and the oss-security mailing list disclosure.

Remediation

Primary remediation is upgrading to a fixed Dovecot version as specified in the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json, though the exact patched version number is not provided in available intelligence data. As an immediate workaround until patching is possible, disable authentication caching either globally by setting auth_cache_size to zero in dovecot.conf, or disable caching selectively for affected passdb and userdb drivers by removing or commenting out cache_key parameters in their driver configurations. Review passdb and userdb configurations to ensure cache_key values incorporate sufficient unique identifiers per user if caching must remain enabled. Monitor authentication logs for anomalous patterns where users appear to gain access to accounts other than their own. After applying fixes, flush existing authentication caches and force all users to re-authenticate. Consult the full disclosure on the oss-security mailing list (http://www.openwall.com/lists/oss-security/2025/10/29/4) and Full Disclosure list for additional technical details and configuration guidance.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Vendor Status

Share

CVE-2025-30189 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy