HIGH🇵🇱 Wersja polska

CVE-2026-24031

CVSS 7.7v3.1pub. 2026-03-27upd. 2026-06-30

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Dovecot

    APP
    Dovecot
    < 2.4.3
  • Open Xchange Dovecot

    APP
    Open-Xchange
    < 3.1.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2019-11500CRITICAL9.8ten sam produkt

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can f...

CVE-2026-27851HIGH7.4ten sam produkt

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly i...

CVE-2026-27856HIGH7.4ten sam produkt

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An atta...

CVE-2025-59032HIGH7.5ten sam produkt

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to cras...

CVE-2026-27858HIGH7.5ten sam produkt

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate lar...