Main Vulnerability Database Vulnerabilities #VU131865

Improper Handling of Extra Parameters in Dovecot and OX Dovecot Pro - CVE-2026-27851

Published: May 19, 2026

Vulnerability identifier: #VU131865

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-27851

CWE-ID: CWE-235

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Dovecot

Affected software:
Dovecot
OX Dovecot Pro

Detailed vulnerability description

The vulnerability allows a remote attacker to conduct SQL or LDAP injection attacks.

The vulnerability exists due to improper handling of extra parameters in lib-var-expand when using the safe filter with variable expansion. A remote attacker can supply unsafe data that is incorrectly treated as safe to conduct SQL or LDAP injection attacks.

This can occur when the vulnerable behavior is used in authentication.

How to mitigate CVE-2026-27851

Install security update from vendor's website.

Sources

https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0002.html

Improper Handling of Extra Parameters in Dovecot and OX Dovecot Pro - CVE-2026-27851

Detailed vulnerability description

How to mitigate CVE-2026-27851

Sources

Please verify you're human