CVE-2026-27860

Summary

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

Affected Software

VendorProductVersion RangeStatus
Open-Xchange GmbHOX Dovecot Pro0 <= 3.1.0affected
Open-Xchange GmbHOX Dovecot Pro0 <= 2.4.0affected

Weaknesses

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References