Skip to main content

OX Dovecot Pro CVE-2026-33603

| EUVDEUVD-2026-29468 MEDIUM
Improper Control of Resource Identifiers ('Resource Injection') (CWE-99)
2026-05-12 OX GHSA-gxj9-f8v6-q8h3
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 14:16 vuln.today
CVE Published
May 12, 2026 - 13:28 nvd
MEDIUM 6.8

DescriptionCVE.org

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

AnalysisAI

Man-in-the-middle attackers positioned between OX Dovecot Pro and clients can forge SCRAM TLS channel binding via specially crafted base64 exchanges, allowing eavesdropping on encrypted communications. The attack requires network-level access and knowledge of channel binding mechanics but yields complete confidentiality compromise. No public exploit code is known, and patched versions are available from Open-Xchange.

Technical ContextAI

SCRAM (Salted Challenge Response Authentication Mechanism) with TLS channel binding is an authentication protocol that binds the SASL authentication to the underlying TLS session to prevent credential relay and MITM attacks. Channel binding embeds proof of the TLS connection into the authentication exchange; the vulnerability allows attackers to forge or replay this binding by manipulating base64-encoded SCRAM messages. CWE-99 (Improper Control of Resource Identifiers) suggests the vulnerability stems from inadequate validation or verification of channel binding data structures. OX Dovecot Pro is the commercial variant of Dovecot, a widely-used IMAP/POP3 mail server.

RemediationAI

Upgrade OX Dovecot Pro to the patched version specified in Open-Xchange advisory OXDC-ADV-2026-0002 (consult https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json for exact version and timing). If immediate patching is not feasible, implement compensating controls: restrict SCRAM authentication to internal, trusted networks only by using firewall rules or Dovecot ACLs to block external SCRAM connections; alternatively, enforce certificate pinning or mutual TLS authentication to prevent MITM positioning. Both workarounds degrade user experience (e.g., external mail clients may fail) and do not address the root cause, making patching the primary remediation path.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-33603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy