CVE-2026-27860
LDAP Injection in Dovecot Authentication Allows Access Bypass
Publication date: 2026-03-27
Last updated on: 2026-04-29
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dovecot | dovecot | to 2.4.3 (exc) |
| open-xchange | dovecot | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when the configuration parameter auth_username_chars is empty in Dovecot's LDAP authentication. In this case, it becomes possible to inject arbitrary LDAP filters, which can bypass certain restrictions and allow an attacker to probe the LDAP directory structure.
How can this vulnerability impact me? :
The vulnerability can potentially allow an attacker to bypass authentication restrictions and gain unauthorized insight into the LDAP directory structure. However, no publicly available exploits are known, and the impact is limited to information disclosure with a low severity score.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, do not clear out the auth_username_chars setting in Dovecot's LDAP authentication configuration.
Alternatively, install a fixed version of Dovecot that addresses this issue.