On 5 May 2026, the Dovecot team published security advisory OXDC-2026-0002, covering five vulnerabilities fixed in OX Dovecot CE 2.4.4 (and Pro 3.1.5). If you are running Dovecot CE 2.4.3 or earlier, this is your prompt to upgrade.
What’s in the advisory
CVE-2026-27851 — SQL/LDAP injection via variable expansion (CVSS 7.4)
The most serious of the five. When the safe filter is used in Dovecot’s variable expansion (lib-var-expand), it incorrectly treats all subsequent pipelines on the same string as safe too. The result: attacker-controlled data can bypass escaping and land unmodified in SQL or LDAP queries used for authentication. No public exploit exists yet, but CVSS 7.4 with a network attack vector and no required privileges is not something to sit on. If you cannot upgrade immediately, the workaround is to avoid the safe filter in your configuration until you can.
CVE-2026-40016 — Sieve CPU-limit bypass, up to 130× overrun (CVSS 5.3)
An attacker with ManageSieve access (or local access to upload scripts) can craft a Sieve script that exploits quadratic O(N×M) substring matching in :contains/:matches to blow past sieve_max_cpu_time by as much as 130 times. Depending on your server load, this is a meaningful denial-of-service vector. Workaround: restrict ManageSieve access to trusted users or disable it until patched.
CVE-2026-33603 — SCRAM TLS channel-binding MITM (CVSS 6.8)
Tabs inside Base64 authentication data bypass Dovecot’s IPC protection, allowing a network-adjacent attacker to spoof SCRAM TLS channel binding and position themselves as a man-in-the-middle between Dovecot and the connecting client. Requires a privileged network position, hence the “Adjacent” attack vector, but it is a clean fix: upgrade.
CVE-2026-40020 — IMAP SETACL anyone-inject (CVSS 3.1)
Even when imap_acl_allow_anyone=no is set, an authenticated user can use the IMAP SETACL command to inject the anyone permission into their dovecot-acl file, causing their folders to appear in every other user’s namespace. No unauthorized data access is gained — the impact is limited to folder spam — but it’s an annoying one to explain to customers.
CVE-2026-42006 — imap-login memory DoS, take two (CVSS 4.3)
This is a follow-up to CVE-2026-27857 (patched in OXDC-2026-0001). The previous fix only blocked excessive closing braces in IMAP commands; an attacker could still use excessive opening braces to hit the same memory limit. Fixed properly this time. Mitigation: set a low vsz_limit for the imap process if upgrading is not immediately possible.
Versions affected
All five CVEs are fixed in Dovecot CE 2.4.4 and Dovecot Pro 3.1.5. CVE-2026-40016 affects Pro going all the way back to 2.3.0 — a long-standing bug in the Sieve engine.
What this means for kalfaoglu.net customers
We run Dovecot for IMAP/POP3 access on all shared and managed hosting accounts. We track upstream security advisories and apply patches as part of routine maintenance. CVE-2026-27851 in particular — the SQL/LDAP injection path — is the one that warrants prompt attention, and it has been addressed in our deployment.
If you self-manage a VPS with Dovecot installed (ISPConfig, DirectAdmin, or manual setup), check your installed version with dovecot --version and update via your package manager or from repo.dovecot.org. On Debian/Ubuntu you may need to add the upstream repo to get 2.4.4, since distribution packages often lag behind.
The bottom line
Five CVEs, one upgrade, done. The highest severity (7.4) is a pre-auth injection path that sits at the authentication layer — exactly the wrong place to leave unpatched. The rest range from annoying to moderate. Update to 2.4.4 and move on.