CVE-2026-24031

Summary

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.

Affected Software

VendorProductVersion RangeStatus
Open-Xchange GmbHOX Dovecot Pro0 <= 3.1.0affected
Open-Xchange GmbHOX Dovecot Pro0 <= 2.4.0affected

Weaknesses

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

dovecot: Dovecot: Authentication bypass and user enumeration due to cleared auth_username_chars configuration

Additional References

References