Description
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Published: 2026-05-12
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to use the IMAP SETACL command to inject the "anyone" permission into a user's dovecot-acl file, even when imap_acl_allow_anyone is set to no. This injection causes all users to receive spam messages in their folders. Because the attacker only gains arbitrary folder spamming, there is no escalation to additional system access or data exposure. The flaw is an access control weakness that permits unauthorized modifications to ACL entries.

Affected Systems

The affected product is Open‑Xchange's OX Dovecot Pro. No specific product version information is listed, so any installation that uses the vulnerable IMAP SETACL handling should be considered potentially affected.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity, and the EPSS score is not available, suggesting limited publicly documented exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, exploiting the IMAP SETACL command sent over a network connection. No public exploits are known, and the impact is limited to folder spam without granting additional privileges.

Generated by OpenCVE AI on May 12, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open‑Xchange OX Dovecot Pro to the fixed version that removes the SETACL injection flaw.
  • Ensure that the configuration directive imap_acl_allow_anyone is set to no to reduce the window for ACL modifications.
  • Audit and monitor dovecot‑acl files and IMAP SETACL activity logs for unexpected entries or repeated access attempts.

Generated by OpenCVE AI on May 12, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title IMAP SETACL Allows Injection of Anyone Permission in Dovecot ACL File

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:40:12.510Z

Reserved: 2026-04-08T09:59:59.342Z

Link: CVE-2026-40020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T14:17:03.687

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-40020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:30:18Z

Weaknesses