CVE-2026-27860

LOW

OX Dovecot Pro <3.1.0 - Auth Bypass

Title source: llm

Description

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

References (1)

[Vendor Advisory] https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json

Scores

CVSS v3 3.7

EPSS 0.0002

EPSS Percentile 6.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-90

Status published

Products (4)

dovecot/dovecot < 2.4.3

open-xchange/dovecot < 3.1.4

Open-Xchange GmbH/OX Dovecot Pro < 2.4.0

Open-Xchange GmbH/OX Dovecot Pro < 3.1.0

Published Mar 27, 2026

Tracked Since Mar 27, 2026