Description
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass and LDAP Structure Disclosure
Action: Apply Patch
AI Analysis

Impact

Authentication credentials can be manipulated when the configuration parameter auth_username_chars is left empty. This allows an attacker to inject arbitrary LDAP filters into the authentication process, potentially bypassing access controls and revealing information about the LDAP directory. The weakness corresponds to CWE-90, which addresses LDAP Injection.

Affected Systems

Open‑Xchange GmbH’s OX Dovecot Pro is the affected product. No specific vulnerable versions are listed in the advisory, so all releases that use the default or an empty auth_username_chars value are potentially impacted.

Risk and Exploitability

With a CVSS score of 3.7 the vulnerability is considered low severity. No public exploits are known and the EPSS score is unavailable, suggesting limited exploitation risk under current conditions. Since the vulnerability relies on a misconfiguration that allows LDAP filter injection, an attacker must have the ability to provide authentication credentials to the affected service. The CISA KEV list does not include this issue, indicating it has not yet been exploited in the wild.

Generated by OpenCVE AI on March 27, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest fixed version of OX Dovecot Pro released by Open‑Xchange.
  • If an update is not yet available, configure the server so that the auth_username_chars setting is not left empty.
  • Verify that LDAP queries are properly sanitized and that authentication corresponds to the expected user.
  • Monitor logs for anomalous LDAP requests that may indicate an attempted injection.

Generated by OpenCVE AI on March 27, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title LDAP Filter Injection in Open‑Xchange OX Dovecot Pro

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:33:57.043Z

Reserved: 2026-02-24T08:46:09.374Z

Link: CVE-2026-27860

cve-icon Vulnrichment

Updated: 2026-03-27T12:33:42.647Z

cve-icon NVD

Status : Received

Published: 2026-03-27T09:16:20.383

Modified: 2026-03-27T09:16:20.383

Link: CVE-2026-27860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:42Z

Weaknesses