Skip to main content

OX Dovecot Pro CVE-2026-27851

| EUVDEUVD-2026-29467 CRITICAL
Improper Handling of Extra Parameters (CWE-235)
2026-05-12 OX GHSA-xfpv-rrgm-4qqr
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Pre-auth injection in the login path gives AV:N/PR:N/UI:N; AC:L since no attacker-side hurdle (config dependency is server-side, not an attack condition); C:H/I:H for auth bypass/data access, A:N as no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 30, 2026 - 03:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.4 (HIGH) 9.1 (CRITICAL)
Analysis Generated
May 12, 2026 - 14:15 vuln.today
CVE Published
May 12, 2026 - 13:28 nvd
HIGH 7.4

DescriptionNVD

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.

AnalysisAI

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).

Technical ContextAI

Dovecot is a widely-used IMAP/POP3 mail server; OX Dovecot Pro is Open-Xchange's supported enterprise distribution (CPE cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro). Dovecot's configuration uses a variable-expansion/templating syntax where filters can be chained in pipelines (e.g. %{variable | filter | filter}). The 'safe' filter is meant to mark a single value as already neutralized for a given context (such as SQL or LDAP query construction). The defect is a state-tracking error: once 'safe' is encountered, the 'safe' flag is not reset for following filters/pipelines operating on the same string, so escaping that should occur downstream is skipped. The assigned CWE-235 (Improper Handling of Extra Parameters) points to the parser/expansion logic mishandling subsequent pipeline elements; the practical consequence is an injection class flaw (the tags label it 'Code Injection') when this expansion feeds userdb/passdb SQL or LDAP lookups during login.

RemediationAI

Patch available per vendor advisory: upgrade OX Dovecot Pro to a fixed release above the affected 2.4.3 and 3.1.4 branches as specified in Open-Xchange advisory oxdc-adv-2026-0002 (https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json); the exact fixed version numbers should be taken directly from that advisory and the matching distro notices (Ubuntu USN-8365-1, Red Hat CSAF VEX) rather than assumed. As an explicit interim workaround the vendor recommends avoiding use of the 'safe' filter until on a fixed version - review passdb/userdb and any auth-related variable-expansion configuration and remove or rewrite pipelines that rely on 'safe' for SQL/LDAP escaping, substituting backend-native parameterization or known-good escaping; the trade-off is that auth query templates may need rework and testing to preserve correct login behavior. Where immediate config changes are not feasible, restrict and monitor authentication inputs and prioritize the upgrade.

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

CVE-2026-40020 LOW
3.1 May 12

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_all

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-27851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy