Description
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can upload a malicious Sieve script through the ManageSieve service or via local access, allowing the script to run up to 130 times the configured CPU time limit. This bypass enables the attacker to consume excessive server CPU resources, degrading performance and potentially causing a denial of service. No publicly available exploits are known, but the vulnerability permits a direct means to impair system stability.

Affected Systems

The issue affects Open‑Xchange GmbH’s OX Dovecot Pro product, specifically the ManageSieve component that processes Sieve scripts. Version details are not supplied, so any deployment of this product is potentially impacted.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is moderate; the EPSS score is not available, so the likely exploitation frequency cannot be quantified. It is not listed in the CISA KEV catalog. An attack would require the ability to upload a Sieve script, which can be achieved via the public ManageSieve interface or by local file access. The attacker’s script can then consume more CPU time than permitted, leading to measurable performance degradation.

Generated by OpenCVE AI on May 12, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the fixed version of Open‑Xchange OX Dovecot Pro to eliminate the CPU time limit bypass.
  • Restrict or disable direct access to Sieve scripts via ManageSieve or local file access to prevent malicious uploads.
  • Monitor server CPU usage and Sieve execution logs for abnormal patterns that may indicate abuse.

Generated by OpenCVE AI on May 12, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title CPU Time Limit Bypass for Sieve Scripts in Open‑Xchange OX Dovecot Pro

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:38:42.912Z

Reserved: 2026-04-08T09:59:59.342Z

Link: CVE-2026-40016

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T14:17:03.570

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-40016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses