CVE-2025-30189
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2026-03-27

Assigner: Open-Xchange

Description
When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers. No publicly available exploits are known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2025-10-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-30189
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
open-xchange dovecot 2.4.1
open-xchange dovecot 2.4.2
open-xchange dovecot 2.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1250 The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-30189 is a vulnerability in Open-Xchange's Dovecot CE product affecting versions 2.4.0 and 2.4.1. When caching is enabled for certain passdb/userdb drivers, the system incorrectly caches all users under the same cache key instead of unique keys per user. This causes the authentication cache to return the wrong user information after the first login, meaning that after one user logs in, all subsequent logins are treated as that same user. This flaw arises from improper handling of the cache key expansion, leading to incorrect reuse of cached authentication data. [1, 2]

Impact Analysis

This vulnerability can cause users to be authenticated as the wrong user, potentially granting access to another user's account. This leads to a serious breach of confidentiality and integrity, as unauthorized users may access sensitive information or perform actions under another user's identity. The impact is high on confidentiality and integrity but does not affect availability. It can result in unauthorized data exposure and compromise of user accounts. [1, 2]

Detection Guidance

Detection can be performed by verifying if the affected Dovecot versions (2.4.0 or 2.4.1) are in use and if authentication caching is enabled for passdb/userdb drivers. Since the vulnerability causes all subsequent logins to be treated as the same user after one cached login, monitoring login behavior for repeated identical user sessions despite different credentials may indicate the issue. Specific commands to check the Dovecot version include `dovecot --version`. To check if auth caching is enabled, inspect the Dovecot configuration files for the `auth_cache_size` setting. For example, running `grep auth_cache_size /etc/dovecot/conf.d/*` can reveal if caching is enabled and its size. If `auth_cache_size` is greater than 0, caching is enabled and the system may be vulnerable if running an affected version. [2]

Mitigation Strategies

Immediate mitigation steps include either upgrading Dovecot to version 2.4.2 or later, where the vulnerability is fixed, or disabling authentication caching by setting `auth_cache_size=0` in the Dovecot configuration. Disabling caching can be done globally or specifically for the impacted passdb/userdb drivers. These steps prevent the incorrect caching behavior that leads to users being logged in as the wrong account. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-30189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart