Description
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Published: 2026-05-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability enables an attacker who can position themselves between a client and a Dovecot server to fabricate a SCRAM TLS channel binding during a base64 exchange. This misleads the server into trusting the client’s encryption context, allowing the attacker to intercept and read the encrypted traffic as a MITM proxy, thereby compromising confidentiality of all mail communications.

Affected Systems

The flaw affects OX Dovecot Pro, developed by Open‑Xchange GmbH. No specific version constraints were listed in the advisory, so any installation that has not applied the public fix is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 6.8, indicating moderate severity. The EPSS score is 8e-05, indicating a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to intercept or position themselves between the client and server—typical for an active network pass‑through or compromised router. No public exploits have been released, but the lack of a published proof of concept and the absence of a KEV listing suggest that active exploitation may be limited to targeted attacks with sufficient network positioning.

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patched version of OX Dovecot Pro that contains the fixed channel‑binding logic
  • Ensure clients verify the server’s TLS channel binding before allowing authentication
  • Restrict network access to the Dovecot service with firewall or VLAN policies so that only legitimate clients can reach the server
  • Monitor authentication logs for anomalous SCRAM attempts that may indicate a MITM attempt

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4617-1 dovecot security update
Debian DSA Debian DSA DSA-6313-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8365-1 Dovecot vulnerabilities
History

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Fake SCRAM TLS Channel Binding Allows MITM Eavesdropping in OX Dovecot Pro dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass
Weaknesses CWE-940
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Fake SCRAM TLS Channel Binding Allows MITM Eavesdropping in OX Dovecot Pro
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Weaknesses CWE-99
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:08:00.334Z

Reserved: 2026-03-23T12:58:38.266Z

Link: CVE-2026-33603

cve-icon Vulnrichment

Updated: 2026-05-12T15:07:55.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:01.600

Modified: 2026-05-18T17:35:35.650

Link: CVE-2026-33603

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-12T13:28:44Z

Links: CVE-2026-33603 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:00:14Z

Weaknesses