Skip to main content

OX Dovecot Pro EUVDEUVD-2026-29471

| CVE-2026-40020 LOW
Improper Access Control (CWE-284)
2026-05-12 OX GHSA-h6rp-9mjf-6x88
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 14:16 vuln.today
CVE Published
May 12, 2026 - 13:28 nvd
LOW 3.1

DescriptionCVE.org

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.

AnalysisAI

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.

Technical ContextAI

Dovecot is an open-source IMAP/POP3 mail server that implements the IMAP4rev1 Access Control List (ACL) extension (RFC 4314) to manage per-folder permissions. The vulnerability exists in Dovecot Pro's SETACL command implementation, which is intended to allow users to modify access control lists for their mailboxes. The imap_acl_allow_anyone configuration option is designed to restrict whether the special 'anyone' identifier-representing all users-can be granted permissions. The flaw allows an authenticated attacker to inject the 'anyone' permission into the dovecot-acl file even when the administrator has explicitly disabled this feature via imap_acl_allow_anyone=no, circumventing the intended access control policy (CWE-284: Improper Access Control). The impact is limited to mail delivery disruption via spam rather than unauthorized access to protected data.

RemediationAI

Upgrade OX Dovecot Pro to the fixed version specified in the OX security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json. Until patching is possible, administrators can enforce mitigation by restricting IMAP access to trusted users only via firewall rules or authentication-based access controls, or by implementing mail flow policies that prevent excessive folder sharing requests. However, these workarounds do not eliminate the vulnerability itself, only reduce exposure surface. A secondary mitigation is to audit existing dovecot-acl files for unexpected 'anyone' entries and remove them manually, though this must be repeated until the patch is applied.

CVE-2026-27851 CRITICAL
9.1 May 12

Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in th

CVE-2026-24031 HIGH
8.2 Mar 27

Authentication bypass and user enumeration in OX Dovecot Pro (versions up to and including 3.1.0 and the 2.4.x line up t

CVE-2025-59032 HIGH
7.5 Mar 27

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using liter

CVE-2026-27858 HIGH
7.5 Mar 27

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attack

CVE-2026-27857 HIGH
7.5 Mar 27

Remote memory-exhaustion denial of service in OX Dovecot Pro (versions up to and including 2.3.0) lets an unauthenticate

CVE-2026-27856 MEDIUM
5.9 Mar 27

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing re

CVE-2025-59028 MEDIUM
5.3 Mar 27

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurre

CVE-2026-0394 MEDIUM
5.3 Mar 27

Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd whe

CVE-2026-27859 MEDIUM
5.3 Mar 27

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormal

CVE-2025-59031 MEDIUM
4.3 Mar 27

Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attack

CVE-2026-42006 MEDIUM
4.3 May 12

OX Dovecot Pro allows authenticated attackers to cause uncontrolled memory consumption and denial of service via excessi

Share

EUVD-2026-29471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy