Description
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass and LDAP Structure Disclosure
Action: Apply Patch
AI Analysis

Impact

Authentication credentials can be manipulated when the configuration parameter auth_username_chars is left empty. This allows an attacker to inject arbitrary LDAP filters into the authentication process, potentially bypassing access controls and revealing information about the LDAP directory. The weakness corresponds to CWE-90, which addresses LDAP Injection.

Affected Systems

Open‑Xchange GmbH’s OX Dovecot Pro is the affected product. No specific vulnerable versions are listed in the advisory, so all releases that use the default or an empty auth_username_chars value are potentially impacted.

Risk and Exploitability

With a CVSS score of 3.7 the vulnerability is considered low severity. No public exploits are known and the EPSS score is unavailable, suggesting limited exploitation risk under current conditions. Since the vulnerability relies on a misconfiguration that allows LDAP filter injection, an attacker must have the ability to provide authentication credentials to the affected service. The CISA KEV list does not include this issue, indicating it has not yet been exploited in the wild.

Generated by OpenCVE AI on March 27, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest fixed version of OX Dovecot Pro released by Open‑Xchange.
  • If an update is not yet available, configure the server so that the auth_username_chars setting is not left empty.
  • Verify that LDAP queries are properly sanitized and that authentication corresponds to the expected user.
  • Monitor logs for anomalous LDAP requests that may indicate an attempted injection.

Generated by OpenCVE AI on March 27, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Wed, 29 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title LDAP Filter Injection in Open‑Xchange OX Dovecot Pro dovecot: Dovecot: Authentication bypass and information disclosure via LDAP filter injection
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title LDAP Filter Injection in Open‑Xchange OX Dovecot Pro

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:33:57.043Z

Reserved: 2026-02-24T08:46:09.374Z

Link: CVE-2026-27860

cve-icon Vulnrichment

Updated: 2026-03-27T12:33:42.647Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T09:16:20.383

Modified: 2026-04-29T19:26:19.370

Link: CVE-2026-27860

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-27T08:10:22Z

Links: CVE-2026-27860 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:11Z

Weaknesses