CVE-2026-40020

EUVD-2026-29471
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
𝑥
< 2.4.4
open-xchangedovecot
𝑥
< 3.1.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
vulnerable
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u6
fixed
bullseye
vulnerable
bullseye (security)
1:2.3.13+dfsg1-2+deb11u4
fixed
forky
1:2.4.4+dfsg1-1
fixed
sid
1:2.4.4+dfsg1-1
fixed
trixie
vulnerable
trixie (security)
1:2.4.1+dfsg1-6+deb13u6
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
dovecot22
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-mysql
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-pgsql
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-backend-sqlite
suse enterprise server 12 SP3
2.2.31-19.37.2
fixed
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
dovecot22-devel
suse enterprise server 12 SP5
2.2.31-19.37.2
fixed
Common Weakness Enumeration
References
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json