Description
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Published: 2026-05-12
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to use the IMAP SETACL command to inject the "anyone" permission into a user's dovecot‑acl file, even when imap_acl_allow_anyone is set to no. This injection causes all users to receive spam messages in their folders. Because the attacker only gains arbitrary folder spamming, there is no escalation to additional system access or data exposure. The flaw is an access control weakness that permits unauthorized modifications to ACL entries.

Affected Systems

The affected product is Open‑Xchange's OX Dovecot Pro. No specific product version information is listed, so any installation that uses the vulnerable IMAP SETACL handling should be considered potentially affected.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity, and the EPSS score is less than 1%, suggesting limited publicly documented exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, inferred from the use of the IMAP SETACL command over a network connection. No public exploits are known, and the impact is limited to folder spam without granting additional privileges.

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open‑Xchange OX Dovecot Pro to the fixed version that removes the SETACL injection flaw.
  • Ensure that the configuration directive imap_acl_allow_anyone is set to no to reduce the window for ACL modifications.
  • Audit and monitor dovecot‑acl files and IMAP SETACL activity logs for unexpected entries or repeated access attempts.

Generated by OpenCVE AI on May 19, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4617-1 dovecot security update
Debian DSA Debian DSA DSA-6313-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8365-1 Dovecot vulnerabilities
History

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title dovecot: dovecot: Denial of Service via IMAP SETACL command injection
Weaknesses CWE-88
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title IMAP SETACL Allows Injection of Anyone Permission in Dovecot ACL File

Mon, 18 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title IMAP SETACL Allows Injection of Anyone Permission in Dovecot ACL File

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-12T15:40:12.510Z

Reserved: 2026-04-08T09:59:59.342Z

Link: CVE-2026-40020

cve-icon Vulnrichment

Updated: 2026-05-12T15:40:08.183Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T14:17:03.687

Modified: 2026-05-18T17:36:04.530

Link: CVE-2026-40020

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-12T13:28:46Z

Links: CVE-2026-40020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:00:14Z

Weaknesses