CVE-2026-0394
Received Received - Intake
Path Traversal in Dovecot Per-Domain Passwd Files Enables Unauthorized Access

Publication date: 2026-03-27

Last updated on: 2026-04-29

Assigner: Open-Xchange

Description
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0394
EUVD
EUVD-2026-16559
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open-xchange dovecot to 3.1.0 (exc)
dovecot dovecot to 2.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows path traversal to read sensitive files such as /etc/passwd, which may contain password or user information. If exploited, it could lead to unauthorized access or authentication bypass.

Such unauthorized access to sensitive user data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and authentication information.

However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.

Executive Summary

This vulnerability occurs in dovecot when it is configured to use per-domain passwd files that are placed one directory level above /etc, or when a slash character is allowed in the domain component. This setup can lead to a path traversal issue if the domain component is a directory partial, allowing an attacker to read sensitive files such as /etc/passwd.

If the passwd file contains passwords, this vulnerability can be exploited to authenticate incorrectly. Alternatively, if the file is a user database (userdb), it can cause system users to appear as valid users unexpectedly.

To mitigate this vulnerability, users should upgrade to a fixed version of dovecot, use a different authentication scheme that does not rely on paths, or ensure that per-domain passwd files are stored in a safer location such as /etc/dovecot/auth/%d.

Impact Analysis

This vulnerability can impact you by allowing unauthorized reading of sensitive files like /etc/passwd. If these files contain passwords, attackers could authenticate improperly, gaining unauthorized access.

Additionally, if the user database is affected, system users might be mistakenly recognized as valid users, potentially leading to unauthorized access or privilege escalation.

Overall, this could compromise system security by allowing attackers to bypass authentication mechanisms.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade to a fixed version of dovecot.

Alternatively, use a different authentication scheme that does not rely on paths.

You can also ensure that the per-domain passwd files are stored in a different location, such as /etc/dovecot/auth/%d.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart