Skip to main content

OX Dovecot Pro EUVDEUVD-2026-29470

| CVE-2026-40016 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-12 OX GHSA-m97m-74mq-mqc6
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 14:16 vuln.today
CVE Published
May 12, 2026 - 13:28 nvd
MEDIUM 5.3

DescriptionCVE.org

Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.

AnalysisAI

OX Dovecot Pro allows authenticated users to upload malicious Sieve scripts via ManageSieve protocol or local access that bypass configured CPU time limits by up to 130 times, enabling denial of service through server performance degradation. The vulnerability requires low-privilege authenticated access and medium attack complexity, affecting availability without compromising confidentiality or integrity. No public exploit code has been identified at the time of analysis.

Technical ContextAI

OX Dovecot Pro implements Sieve script filtering with configurable CPU time limits to prevent resource exhaustion. The vulnerability exists in the Sieve script parser or execution engine, which fails to properly enforce CPU time constraints when processing specially crafted scripts. This is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the product does not adequately limit computational resources consumed by user-supplied Sieve scripts. The ManageSieve protocol (RFC 5804) provides a standard interface for remote script management, and local script placement bypasses protocol-level safeguards entirely. The affected product is identified via CPE as OX Dovecot Pro from Open-Xchange GmbH across all versions.

RemediationAI

Install the fixed version of OX Dovecot Pro as released by Open-Xchange GmbH per their security advisory. If an immediate patch is unavailable, implement the following compensating controls: disable or restrict access to the ManageSieve protocol (RFC 5804) via network firewall rules, limiting script management to out-of-band administrative processes; remove or restrict file system permissions for direct Sieve script placement in the local script directories; and reduce the configured Sieve CPU time limit to account for the 130x amplification factor until patched (e.g., if limit is 10 seconds, temporarily reduce to 0.08 seconds, with side effect of rejecting legitimately complex scripts). Monitor Sieve execution logs and server CPU utilization for signs of resource exhaustion attacks. These workarounds degrade user functionality and are temporary - prioritize patching as the primary remediation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-29470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy