Skip to main content

Ox Dovecot Pro CVE-2026-0394

| EUVDEUVD-2026-16559 MEDIUM
Path Traversal (CWE-22)
2026-03-27 OX
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16559
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
MEDIUM 5.3

DescriptionCVE.org

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.

AnalysisAI

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd when per-domain passwd files are misconfigured above /etc or when slash characters are added to the domain path component. Successful exploitation can expose system authentication data or make system users appear as valid mail users, leading to unauthorized access. No public exploit code is currently known, and the vulnerability requires specific misconfiguration to trigger, resulting in a moderate CVSS score of 5.3 with low confidentiality impact.

Technical ContextAI

The vulnerability resides in OX Dovecot Pro's per-domain authentication file handling mechanism (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Dovecot's userdb and passdb authentication backends can be configured to use per-domain password files located via path templates incorporating the domain name. When directory paths are positioned one component above /etc or when the allowed character set includes forward slashes, an attacker can craft a domain component containing directory traversal sequences or path components that, when combined with the base path, resolve to sensitive files like /etc/passwd. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates this is a network-accessible vulnerability requiring no privileges or user interaction, with low attack complexity, though impact is limited to confidentiality (file read-only).

RemediationAI

Upgrade OX Dovecot Pro to a patched version as indicated in the Open-Xchange security advisory (https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json). Until patching is feasible, immediately relocate all per-domain passwd files to a safe location such as /etc/dovecot/auth/%d, ensuring they remain below the /etc directory hierarchy and are not accessible via path traversal. If per-domain passwd file authentication is not essential, migrate to an alternative authentication scheme that does not rely on file-based path templates (such as SQL-based userdb or LDAP). Additionally, audit Dovecot configuration to ensure that domain name character allowlists do not include forward slashes or other path components, restricting domains to alphanumeric characters and hyphens only.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty needed -
xenial needed -
bionic needed -
focal needed -
jammy needed -
noble needed -
questing not-affected 2.4.0
upstream released 2.4.0

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-0394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy