CVE-2026-33603

EUVD-2026-29468
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Resource Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
𝑥
< 2.4.4
open-xchangedovecot
𝑥
< 3.1.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
vulnerable
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u6
fixed
bullseye
vulnerable
bullseye (security)
1:2.3.13+dfsg1-2+deb11u4
fixed
forky
1:2.4.4+dfsg1-1
fixed
sid
1:2.4.4+dfsg1-1
fixed
trixie
vulnerable
trixie (security)
1:2.4.1+dfsg1-6+deb13u6
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
dovecot22
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-mysql
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-pgsql
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-sqlite
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-devel
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
Common Weakness Enumeration
References
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json