Description
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can upload a malicious Sieve script through the ManageSieve service or via local access, allowing the script to run up to 130 times the configured CPU time limit. This flaw represents a classic instance of resource exhaustion (CWE-400) and system resource exhaustion (CWE-770), enabling the attacker to consume excessive server CPU resources, degrade performance, and potentially cause a denial of service. No publicly available exploits are known, but the vulnerability permits a direct means to impair system stability. The likelihood of a denial of service is inferred from the potential for excessive CPU consumption, though it is not explicitly stated in the CVE description.

Affected Systems

The issue affects Open‑Xchange GmbH’s OX Dovecot Pro product, specifically the ManageSieve component that processes Sieve scripts. Version details are not supplied, so any deployment of this product is potentially impacted.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is moderate; the EPSS score of 0.00016 is very low, indicating a minimal probability of exploitation. It is not listed in the CISA KEV catalog. An attack would require the ability to upload a Sieve script, which can be achieved via the public ManageSieve interface or by local file access. The attacker’s script can then consume more CPU time than permitted, leading to measurable performance degradation.

Generated by OpenCVE AI on May 25, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the fixed version of Open‑Xchange OX Dovecot Pro to eliminate the CPU time limit bypass.
  • Restrict or disable direct access to Sieve scripts via ManageSieve or local file access to prevent malicious uploads.
  • Monitor server CPU usage and Sieve execution logs for abnormal patterns that may indicate abuse.

Generated by OpenCVE AI on May 25, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6313-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8365-1 Dovecot vulnerabilities
History

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title CPU Time Limit Bypass for Sieve Scripts in Open‑Xchange OX Dovecot Pro dovecot: Dovecot: Denial of Service due to Sieve script CPU limit bypass
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title CPU Time Limit Bypass for Sieve Scripts in Open‑Xchange OX Dovecot Pro

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:38:42.912Z

Reserved: 2026-04-08T09:59:59.342Z

Link: CVE-2026-40016

cve-icon Vulnrichment

Updated: 2026-05-12T15:38:39.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:03.570

Modified: 2026-05-18T17:34:37.057

Link: CVE-2026-40016

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-12T13:28:45Z

Links: CVE-2026-40016 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T14:30:06Z

Weaknesses