Main Vulnerability Database Vulnerabilities #VU131866

Resource exhaustion in Dovecot and OX Dovecot Pro - CVE-2026-40016

Published: May 19, 2026

Vulnerability identifier: #VU131866

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40016

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Dovecot

Affected software:
Dovecot
OX Dovecot Pro

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the Sieve substring matching implementation when processing a malicious Sieve script. A remote user can upload a malicious Sieve script to cause a denial of service.

The script can be uploaded over the ManageSieve service or through local access, and the issue can bypass configured CPU time limits for Sieve by up to 130 times.

How to mitigate CVE-2026-40016

Install security update from vendor's website.

Sources

https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0002.html

Resource exhaustion in Dovecot and OX Dovecot Pro - CVE-2026-40016

Detailed vulnerability description

How to mitigate CVE-2026-40016

Sources

Please verify you're human