CVE-2026-0394Path Traversal in Dovecot

CWE-22Path Traversal8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 83.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DovecotDebian DovecotOpen-xchange Gmbh OX Dovecot PRO
Timeline
PublishedMar 27
Latest updateMar 31

Description

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed versio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm)
Debiandovecot/dovecot< 1:2.3.19.1+dfsg1-2.1+deb12u2+2
Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

🔴Vulnerability Details

3
OSV
dovecot vulnerabilities2026-03-31
OSV
CVE-2026-0394: When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed2026-03-27
GHSA
GHSA-xmp7-q4wc-cq3x: When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed2026-03-27

📋Vendor Advisories

3
Ubuntu
Dovecot vulnerabilities2026-03-31
Red Hat
dovecot: Dovecot: Information disclosure and authentication bypass via path traversal2026-03-27
Debian
CVE-2026-0394: dovecot - When dovecot has been configured to use per-domain passwd files, and they are pl...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-0394 Impact, Exploitability, and Mitigation Steps | Wiz