In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention.

Here is a breakdown of what matters, in roughly descending order of alarm.

The Serious Ones

CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH)

This one only affects Dovecot v2.4/v3.1, and only when an administrator has set auth_username_chars to empty — removing all character filtering on usernames. In that configuration, a crafted username can inject into the SQL query used for authentication, letting an attacker log in as any user without knowing their password. If you are running v2.3.x, you are not affected by this specific bug. If you have upgraded to v2.4 and cleared auth_username_chars, patch immediately.

CVE-2026-0394 — Path traversal in passwd-file passdb (pre-authentication)

If Dovecot is configured to use per-domain passwd files and those files live one directory above /etc, a %d (domain) expansion in the file path can walk up and open /etc/passwd. In most default setups this scenario does not apply, but if your server uses domain-split passwd files, check your paths now. Reading /etc/passwd is bad enough on its own; if passwords are stored there in any form, the situation is significantly worse.

CVE-2026-27856 — doveadm timing oracle (CVSS 7.4, HIGH)

Dovecot’s doveadm management interface verifies credentials without constant-time comparison, making it vulnerable to timing attacks. With enough patience and network access, an attacker can statistically determine the doveadm password and gain full administrative control. Doveadm is typically not exposed to the public internet — but if yours is, treat this as critical priority.

The Nuisances

Three denial-of-service vulnerabilities round out the bundle:

  • CVE-2026-27857: A NOOP command with around 4,000 nested parentheses causes roughly 1 MB of extra memory allocation per connection. An attacker holding 1,000 connections can allocate around 1 GB, potentially killing the imap-login process entirely.
  • CVE-2026-27858: A similar DoS against the managesieve-login daemon. A crafted pre-authentication message forces large memory allocation before any credentials are checked.
  • CVE-2026-27859: A regression introduced in v3.0.2 where messages containing excessive RFC 2231 MIME parameters cause LMTP to burn CPU disproportionately. Someone can slow down your inbound mail delivery by sending carefully malformed messages.

None of these are remote code execution, but the DoS vectors are trivially triggered and can cause real deliverability disruptions on busy servers.

Patching

Dovecot addressed all eight CVEs in the same release window. Distribution packages to look for:

  • Debian bookworm (12): 1:2.3.19.1+dfsg1-2.1+deb12u2
  • Debian trixie (13): 1:2.4.1+dfsg1-6+deb13u4
  • Ubuntu: USN-8136-1 (with a follow-up regression fix in USN-8136-2)
  • RHEL / AlmaLinux / Rocky: Check your vendor’s errata for the dovecot package.

On Debian or Ubuntu, a straightforward apt update && apt upgrade dovecot-core will get you there. Verify your installed version with dovecot --version or apt-cache policy dovecot-core. If the version predates the patched build above, your server is exposed.

What This Means for kalfaoglu.net Customers

If you are on a kalfaoglu.net shared hosting plan, our mail servers run Dovecot and we applied the relevant patches when they became available. You do not need to take any action.

If you manage your own VPS or dedicated server with Dovecot handling IMAP or POP3: patch now. The SQL injection and timing oracle vulnerabilities are not theoretical — they are genuinely exploitable by a motivated attacker who can reach the relevant service. The DoS vectors require even less sophistication.

If you are unsure which version you are running, SSH in and check:

# Debian / Ubuntu
apt-cache policy dovecot-core

# RHEL / AlmaLinux / Rocky
rpm -q dovecot

One thing worth flagging for v2.4 users: CVE-2026-24031 is the first significant security blunder to land specifically in the v2.4 branch, which brought major authentication subsystem changes. If you migrated to v2.4 recently, this is an early reminder that newer branches tend to surface configuration-sensitive bugs in the months after release. Keeping automatic security updates enabled, or at least watching the Dovecot security mailing list, is worth the small overhead.