SB2026051937 - Multiple vulnerabilities in Dovecot
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Improper Handling of Extra Parameters (CVE-ID: CVE-2026-27851)
CWE-ID: CWE-235 - Improper Handling of Extra Parameters
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to conduct SQL or LDAP injection attacks.
The vulnerability exists due to improper handling of extra parameters in lib-var-expand when using the safe filter with variable expansion. A remote attacker can supply unsafe data that is incorrectly treated as safe to conduct SQL or LDAP injection attacks.
This can occur when the vulnerable behavior is used in authentication.
2) Resource exhaustion (CVE-ID: CVE-2026-40016)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the Sieve substring matching implementation when processing a malicious Sieve script. A remote user can upload a malicious Sieve script to cause a denial of service.
The script can be uploaded over the ManageSieve service or through local access, and the issue can bypass configured CPU time limits for Sieve by up to 130 times.
3) Improper Control of Resource Identifiers ('Resource Injection') (CVE-ID: CVE-2026-33603)
CWE-ID: CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to eavesdrop communications between Dovecot and a client.
The vulnerability exists due to improper control of resource identifiers in login when processing a specially crafted base64 exchange between Dovecot and the client. A remote attacker can send a specially crafted base64 exchange to eavesdrop communications between Dovecot and a client.
Exploitation requires the ability to position between Dovecot and the client connection and can be used to fake SCRAM TLS channel binding.
4) Improper access control (CVE-ID: CVE-2026-40020)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to spam folders to other users.
The vulnerability exists due to improper access control in the IMAP SETACL command when injecting the anyone permission into a user's dovecot-acl file. A remote user can use the IMAP SETACL command to spam folders to other users.
No unexpected access is gained.
5) Resource exhaustion (CVE-ID: CVE-2026-42006)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in imap-login when processing excessive bracing over IMAP. A remote user can send excessive bracing to cause a denial of service.
The issue remained reachable because an earlier fix blocked closing braces, but open braces could still bypass the limit.
Remediation
Install update from vendor's website.