https://blog.kalfaoglu.net/tags/mail-server/Recent content in Mail-Server on kalfaoglu.netHugoenFri, 29 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-29-dovecot-oxdc-2026-0002-en/Fri, 29 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-29-dovecot-oxdc-2026-0002-en/<p>On 5 May 2026, the Dovecot team published security advisory <a href="https://seclists.org/fulldisclosure/2026/May/2">OXDC-2026-0002</a>, covering five vulnerabilities fixed in <strong>OX Dovecot CE 2.4.4</strong> (and Pro 3.1.5). If you are running Dovecot CE 2.4.3 or earlier, this is your prompt to upgrade.</p> <h2 id="whats-in-the-advisory">What&rsquo;s in the advisory</h2> <p><strong>CVE-2026-27851 — SQL/LDAP injection via variable expansion (CVSS 7.4)</strong></p> <p>The most serious of the five. When the <code>safe</code> filter is used in Dovecot&rsquo;s variable expansion (<code>lib-var-expand</code>), it incorrectly treats all subsequent pipelines on the same string as safe too. The result: attacker-controlled data can bypass escaping and land unmodified in SQL or LDAP queries used for authentication. No public exploit exists yet, but CVSS 7.4 with a network attack vector and no required privileges is not something to sit on. If you cannot upgrade immediately, the workaround is to avoid the <code>safe</code> filter in your configuration until you can.</p>