SB2026040129 - Multiple vulnerabilities in Dovecot

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040129

SB2026040129 - Multiple vulnerabilities in Dovecot

Published: April 1, 2026

Security Bulletin ID SB2026040129
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-27855)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to authentication bypass by capture-replay in OTP authentication driver when caching credentials. A remote attacker can capture and replay OTP credentials to bypass authentication.

User interaction is required to trigger the initial authentication, and auth cache must be enabled with username alteration in passdb.


2) Improper Authentication (CVE-ID: CVE-2026-27856)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in doveadm credentials verification when comparing provided credentials. A remote attacker can perform timing oracle attack to bypass authentication.


3) Resource exhaustion (CVE-ID: CVE-2026-27858)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in managesieve-login service when processing pre-authentication data. A remote attacker can send a specially crafted message before authentication to cause a denial of service.


4) Resource exhaustion (CVE-ID: CVE-2026-27857)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in imap-login process when handling malformed NOOP commands. A remote user can send a specially crafted command with excessive parentheses to cause a denial of service.


5) Resource exhaustion (CVE-ID: CVE-2026-27859)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in MIME parameter parsing when processing message headers. A remote attacker can send a specially crafted email message with excessive RFC 2231 MIME parameters to cause a denial of service of the LMTP mail delivery process.


6) SQL injection (CVE-ID: CVE-2026-24031)

The vulnerability allows a remote attacker to bypass authentication and enumerate users.

The vulnerability exists due to improper input validation in SQL-based authentication when processing usernames. A remote attacker can send a specially crafted request with malicious username when auth_username_chars is cleared by admin to bypass authentication and enumerate users.

The server must have auth_username_chars configuration option cleared.


7) LDAP injection (CVE-ID: CVE-2026-27860)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper neutralization of special elements in an LDAP query within the auth-ldap module when processing usernames. A remote attacker can send a specially crafted request with malicious username when auth_username_chars is empty to probe LDAP structure and potentially bypass authentication.

The server must have auth_username_chars configuration option cleared.


Remediation

Install update from vendor's website.

References