Description
When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
Published: 2026-05-12
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When the safe filter is combined with variable expansion, the system mistakenly treats any subsequent pipeline expressions on the same string as safe as well. This flaw allows unsanitized data to be unescaped. Attackers can exploit this behavior to inject arbitrary SQL or LDAP commands through authentication mechanisms, potentially compromising data confidentiality, integrity, or availability. The weakness is a CWE‑235 "Improper Neutralization of Input During Runtime" flaw.

Affected Systems

The vulnerability affects Open‑Xchange GmbH’s OX Dovecot Pro software. No specific version ranges are listed in the advisory, so any deployed instance of this product may be susceptible until a fix is applied.

Risk and Exploitability

The CVSS score of 7.4 places this issue in the high‑severity tier. Although the EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, the potential for injection in authentication suggests that a remote attacker could exploit it via the public authentication interface. No public exploits have been reported, but the underlying mechanism provides a straightforward exploitation path once an attacker can craft credentials containing injected commands.

Generated by OpenCVE AI on May 12, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade to a fixed version as soon as it becomes available
  • Until a patch is available, do not use the safe filter syntax with variable expansion in authentication flows
  • Re‑review authentication and filter configurations to eliminate any use of unsafe data in safe filter expressions

Generated by OpenCVE AI on May 12, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Insecure Safe Filter in Open‑Xchange OX Dovecot Pro Enabling Injection Attacks
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.
Weaknesses CWE-235
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:06:35.962Z

Reserved: 2026-02-24T08:46:09.372Z

Link: CVE-2026-27851

cve-icon Vulnrichment

Updated: 2026-05-12T15:06:30.355Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T14:16:56.857

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-27851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses