Description
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure / Authentication Bypass
Action: Patch
AI Analysis

Impact

This vulnerability in Open-Xchange Dovecot Pro allows an attacker to perform path traversal when the service is configured to use per-domain passwd files located just above the system root or with permissive slashes. The flaw permits reading any file ending with 'passwd', such as /etc/passwd. If the file contains authentication credentials, the attacker can gain unauthorized access or make existing system users appear as valid mailbox users. The weakness maps to CWE‑22.

Affected Systems

The flaw affects installations of Open-Xchange GmbH’s OX Dovecot Pro that use the per-domain passwd file configuration described above. No specific version information is supplied, so the issue may apply to all current releases that support such configuration.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. Exploitability requires the attacker to influence the domain component used in the passwd file path, typically by controlling the domain configuration or spoofing a domain in an authentication attempt. No public exploits are known and the vulnerability is not listed in CISA’s KEV catalog, but the potential for unauthorized file disclosure or authentication bypass warrants timely remediation.

Generated by OpenCVE AI on March 27, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch to the latest fixed version of OX Dovecot Pro.
  • Reconfigure Dovecot to avoid relying on filesystem paths for authentication, or relocate per‑domain passwd files to a safe directory such as /etc/dovecot/auth/%d.
  • Verify that the domain component used for per-domain passwd files is not a directory partial and does not contain disallowed characters.
  • Confirm that the configuration change prevents unintended access to system files.

Generated by OpenCVE AI on March 27, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
Ubuntu USN Ubuntu USN USN-8136-2 Dovecot regression
History

Wed, 29 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Path Traversal via Per‑Domain Password Files in Open‑Xchange Dovecot dovecot: Dovecot: Information disclosure and authentication bypass via path traversal
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Path Traversal via Per‑Domain Password Files in Open‑Xchange Dovecot

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T19:41:17.447Z

Reserved: 2025-11-28T09:18:02.607Z

Link: CVE-2026-0394

cve-icon Vulnrichment

Updated: 2026-03-27T19:41:13.207Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T09:16:19.283

Modified: 2026-04-29T19:40:46.587

Link: CVE-2026-0394

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T08:10:17Z

Links: CVE-2026-0394 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:16Z

Weaknesses