CVE-2026-27860

EPSS 0.04%
Veröffentlicht 27.03.2026 08:10:22
Zuletzt bearbeitet 29.04.2026 19:26:19
Quelle security@open-xchange.com
CVE-Watchlists
Login
Unerledigt
Login

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dovecot ≫ Dovecot Version < 2.4.3

Open-xchange ≫ Dovecot SwEditionpro Version < 3.1.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.121

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security@open-xchange.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27860

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27860

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27860

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27860