CVE-2026-0394
Path Traversal in Dovecot Per-Domain Passwd Files Enables Unauthorized Access
Publication date: 2026-03-27
Last updated on: 2026-04-29
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-xchange | dovecot | to 3.1.0 (exc) |
| dovecot | dovecot | to 2.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in dovecot when it is configured to use per-domain passwd files that are placed one directory level above /etc, or when a slash character is allowed in the domain component. This setup can lead to a path traversal issue if the domain component is a directory partial, allowing an attacker to read sensitive files such as /etc/passwd.
If the passwd file contains passwords, this vulnerability can be exploited to authenticate incorrectly. Alternatively, if the file is a user database (userdb), it can cause system users to appear as valid users unexpectedly.
To mitigate this vulnerability, users should upgrade to a fixed version of dovecot, use a different authentication scheme that does not rely on paths, or ensure that per-domain passwd files are stored in a safer location such as /etc/dovecot/auth/%d.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized reading of sensitive files like /etc/passwd. If these files contain passwords, attackers could authenticate improperly, gaining unauthorized access.
Additionally, if the user database is affected, system users might be mistakenly recognized as valid users, potentially leading to unauthorized access or privilege escalation.
Overall, this could compromise system security by allowing attackers to bypass authentication mechanisms.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade to a fixed version of dovecot.
Alternatively, use a different authentication scheme that does not rely on paths.
You can also ensure that the per-domain passwd files are stored in a different location, such as /etc/dovecot/auth/%d.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows path traversal to read sensitive files such as /etc/passwd, which may contain password or user information. If exploited, it could lead to unauthorized access or authentication bypass.
Such unauthorized access to sensitive user data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and authentication information.
However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.