Skip to main content

OX Dovecot Pro CVE-2026-24031

| EUVDEUVD-2026-16561 HIGH
SQL Injection (CWE-89)
2026-03-27 OX GHSA-fx6f-5qgf-9fmx
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.4 HIGH

Network-reachable and unauthenticated (AV:N/PR:N), but success depends on the non-default cleared auth_username_chars setting (AC:H); full account-impersonation bypass yields C:H/I:H with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
7.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 04:44 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:43 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:42 vuln.today
v2 (cvss_changed)
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.7 (HIGH) 8.2 (HIGH)
Re-analysis Queued
Apr 29, 2026 - 19:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16561
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
HIGH 7.7

DescriptionNVD

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.

AnalysisAI

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up to 2.4.0) lets remote attackers log in as any user when an administrator has cleared the auth_username_chars setting. The flaw is a CWE-89 SQL injection in the SQL-backed authentication driver: with input character filtering disabled, attacker-controlled username data reaches the SQL auth query unsanitized, enabling both full authentication bypass and account enumeration. Reported by OX and tracked as EUVD-2026-16561; no public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none while assessing technical impact as total.

Technical ContextAI

Dovecot is a widely deployed IMAP/POP3 mail server whose SQL-based authentication backend builds database lookup queries from the supplied login username. Dovecot normally restricts which characters are accepted in usernames via the auth_username_chars configuration directive, which acts as an allow-list sanitizer before the value is used in the passdb/userdb SQL lookup. The CWE-89 root cause is that when an administrator empties auth_username_chars, this protective filtering is removed, so SQL metacharacters embedded in a username flow into the authentication query and alter its logic. The affected CPE is cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro, the commercial Open-Xchange distribution of Dovecot; the same code path is reflected in the community packages tracked by Ubuntu (8 releases) and Debian (7 releases). The SQLi tag and CWE-89 confirm this is classic SQL injection in the auth layer rather than a memory-safety or protocol flaw.

RemediationAI

The vendor's primary guidance is operational and immediate: do not clear the auth_username_chars setting - keeping or restoring a populated auth_username_chars allow-list re-enables the input filtering that blocks the SQL injection and fully mitigates the issue with no patch required, at the cost of disallowing the broader username character set the administrator may have wanted. Where clearing auth_username_chars is genuinely required, install the latest fixed version: a patch is available per the vendor advisory (Patch available per vendor advisory; an exact fixed version number is not stated in the available data, so confirm the specific release with Open-Xchange before upgrading, given affected ranges of ≤3.1.0 and ≤2.4.0). Apply distribution updates where you run packaged Dovecot, e.g. Ubuntu USN-8136-1 (https://ubuntu.com/security/notices/USN-8136-1), and consult the vendor CSAF advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json. As an interim compensating control until patching, audit your Dovecot auth configuration for an empty auth_username_chars and restrict network exposure of the IMAP/POP3/auth endpoints to trusted networks.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-24031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy