Is Ldap affected by EUVD-2026-16573?

CVE-2026-27860 is a low-severity vulnerability in If auth_username_chars (CVSS 3.7). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

EUVD-2026-16573

| CVE-2026-27860 LOW

2026-03-27 OX

3.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 13:49 nvd

Patch available

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 27, 2026 - 08:30 euvd

EUVD-2026-16573

Analysis Generated

Mar 27, 2026 - 08:30 vuln.today

CVE Published

Mar 27, 2026 - 08:10 nvd

LOW 3.7

Description

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

Analysis

Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.

Remediation

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +18

POC: +20

Vendor Status

Ubuntu

Priority: Medium

dovecot

Release	Status	Version
trusty	not-affected	code not present
xenial	not-affected	code not present
bionic	not-affected	code not present
focal	not-affected	code not present
jammy	not-affected	code not present
noble	not-affected	code not present
questing	needed	-
upstream	released	2.4.3

Debian

dovecot

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1:2.3.13+dfsg1-2+deb11u1	-
bullseye (security)	vulnerable	1:2.3.13+dfsg1-2+deb11u2	-
bookworm, bookworm (security)	vulnerable	1:2.3.19.1+dfsg1-2.1+deb12u1	-
trixie	vulnerable	1:2.4.1+dfsg1-6+deb13u3	-
trixie (security)	vulnerable	1:2.4.1+dfsg1-6+deb13u1	-
forky, sid	vulnerable	1:2.4.2+dfsg1-4	-
(unstable)	fixed	(unfixed)	-

EUVD-2026-16573 vulnerability details – vuln.today

Back

EUVD-2026-16573

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2026-16573

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code