Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
AnalysisAI
OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.
Technical ContextAI
Dovecot is an open-source IMAP/POP3 mail server that implements the IMAP4rev1 Access Control List (ACL) extension (RFC 4314) to manage per-folder permissions. The vulnerability exists in Dovecot Pro's SETACL command implementation, which is intended to allow users to modify access control lists for their mailboxes. The imap_acl_allow_anyone configuration option is designed to restrict whether the special 'anyone' identifier-representing all users-can be granted permissions. The flaw allows an authenticated attacker to inject the 'anyone' permission into the dovecot-acl file even when the administrator has explicitly disabled this feature via imap_acl_allow_anyone=no, circumventing the intended access control policy (CWE-284: Improper Access Control). The impact is limited to mail delivery disruption via spam rather than unauthorized access to protected data.
RemediationAI
Upgrade OX Dovecot Pro to the fixed version specified in the OX security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json. Until patching is possible, administrators can enforce mitigation by restricting IMAP access to trusted users only via firewall rules or authentication-based access controls, or by implementing mail flow policies that prevent excessive folder sharing requests. However, these workarounds do not eliminate the vulnerability itself, only reduce exposure surface. A secondary mitigation is to audit existing dovecot-acl files for unexpected 'anyone' entries and remove them manually, though this must be repeated until the patch is applied.
More in Ox Dovecot Pro
View allAuthentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th
Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t
OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter
OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack
Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate
OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re
OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre
Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe
OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal
Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack
OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29471
GHSA-h6rp-9mjf-6x88