CVE-2026-0394

EUVD-2026-16559

27.03.2026, 09:16

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users.  Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Affected Products (NVD)

Vendor	Product	Version
dovecot	dovecot	𝑥 < 2.4.0
open-xchange	dovecot	𝑥 < 3.1.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dovecot

bookworm	vulnerable
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u3 fixed
forky	1:2.4.3+dfsg1-2 fixed
sid	1:2.4.3+dfsg1-2 fixed
trixie	1:2.4.1+dfsg1-6+deb13u3 fixed
trixie (security)	1:2.4.1+dfsg1-6+deb13u4 fixed

Ubuntu Releases

Ubuntu Product

Codename

dovecot

bionic	needed
focal	needed
jammy	Fixed 1:2.3.16+dfsg1-3ubuntu2.7 released
noble	Fixed 1:2.3.21+dfsg1-2ubuntu6.3 released
questing	not-affected
resolute	not-affected
trusty	needed
xenial	needed

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Media Exposure

[GERMAN] Dovecot: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Dovecot ausnutzen, um SQL-Injection-Angriffe durchzuführen, die Authentifizierung zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand herbeizuführen.
Published: 2026-03-26T23:00:00+00:00

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json