CVE-2026-24031
Authentication Bypass in Dovecot SQL via auth_username_chars Misconfiguration
Publication date: 2026-03-27
Last updated on: 2026-04-29
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dovecot | dovecot | to 2.4.3 (exc) |
| open-xchange | dovecot | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows bypassing authentication for any user and user enumeration, which can lead to unauthorized access to sensitive information.
Such unauthorized access could potentially result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and health information.
Therefore, if exploited, this vulnerability may impact compliance by exposing sensitive data or allowing unauthorized actions.
Can you explain this vulnerability to me?
This vulnerability exists in Dovecot's SQL based authentication system. It can be bypassed when the configuration parameter auth_username_chars is cleared by an administrator. This allows an attacker to bypass authentication for any user and also perform user enumeration.
The recommended mitigation is to not clear auth_username_chars. If that is not possible, installing the latest fixed version of Dovecot is advised.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows an attacker to bypass authentication controls, potentially gaining unauthorized access to user accounts.
Additionally, it enables user enumeration, which can be used to gather valid usernames for further attacks.
The CVSS score of 7.7 indicates a high severity, with high impact on confidentiality and integrity, and low impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, do not clear the auth_username_chars setting in Dovecot.
If it is not possible to avoid clearing auth_username_chars, install the latest fixed version of Dovecot.