Description
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Published: 2026-05-12
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability enables an attacker who can position themselves between a client and a Dovecot server to fabricate a SCRAM TLS channel binding during a base64 exchange. This misleads the server into trusting the client’s encryption context, allowing the attacker to intercept and read the encrypted traffic as a MITM proxy, thereby compromising confidentiality of all mail communications.

Affected Systems

The flaw affects OX Dovecot Pro, developed by Open‑Xchange GmbH. No specific version constraints were listed in the advisory, so any installation that has not applied the public fix is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 6.8, indicating moderate severity. The EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to intercept or position themselves between the client and server—typical for an active network pass‑through or compromised router. No public exploits have been released, but the lack of a published proof of concept and the absence of a KEV listing suggest that active exploitation may be limited to targeted attacks with sufficient network positioning.

Generated by OpenCVE AI on May 12, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patched version of OX Dovecot Pro that contains the fixed channel‑binding logic
  • Ensure clients verify the server’s TLS channel binding before allowing authentication
  • Restrict network access to the Dovecot service with firewall or VLAN policies so that only legitimate clients can reach the server
  • Monitor authentication logs for anomalous SCRAM attempts that may indicate a MITM attempt

Generated by OpenCVE AI on May 12, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Fake SCRAM TLS Channel Binding Allows MITM Eavesdropping in OX Dovecot Pro
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Tue, 12 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Weaknesses CWE-99
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:08:00.334Z

Reserved: 2026-03-23T12:58:38.266Z

Link: CVE-2026-33603

cve-icon Vulnrichment

Updated: 2026-05-12T15:07:55.507Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T14:17:01.600

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-33603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses