Skip to main content

Ox Dovecot Pro CVE-2025-59028

| EUVDEUVD-2025-209088 MEDIUM
Improper Input Validation (CWE-20)
2026-03-27 OX GHSA-9q9x-wwfr-fxqm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2025-209088
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
MEDIUM 5.3

DescriptionCVE.org

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

AnalysisAI

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurrent active authentication sessions to fail and enabling denial-of-service attacks against login infrastructure. Unauthenticated remote attackers can trigger this condition with minimal attack complexity by sending malformed base64 sequences to the SASL authentication handler. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.3 reflecting limited availability impact without confidentiality or integrity compromise.

Technical ContextAI

The vulnerability resides in the SASL (Simple Authentication and Security Layer) authentication mechanism implemented within OX Dovecot Pro (CPE:cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*). The root cause is classified under CWE-20 (Improper Input Validation), indicating insufficient validation of base64-encoded authentication data before processing. When the SASL handler receives malformed or invalid base64 sequences, the authentication server unexpectedly disconnects from its authentication subsystem rather than gracefully rejecting the malformed input. This architectural failure cascades to terminate all concurrent authentication sessions sharing the same server instance, as the entire authentication channel is severed rather than isolated to the offending request. The vulnerability exposes a gap in input sanitization and error handling within the base64 decoding and SASL protocol state machine.

RemediationAI

Upgrade OX Dovecot Pro to the patched version specified in the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json. The vendor advisory notes that a fixed version is available, though the specific version number requires consultation of the CSAF document. As an interim mitigation prior to patch deployment, the vendor recommends disabling concurrency in login processes, though this introduces a significant performance penalty on large deployments and should be considered a temporary measure only. Organizations should also implement network-level rate limiting on SASL authentication endpoints to reduce the effective denial-of-service surface, and consider isolating Dovecot Pro instances with connection-state monitoring to rapidly detect and contain cascading session failures.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty not-affected 2.4.1+ only
xenial not-affected 2.4.1+ only
bionic not-affected 2.4.1+ only
focal not-affected 2.4.1+ only
jammy not-affected 2.4.1+ only
noble not-affected 2.4.1+ only
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2025-59028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy