CVE-2026-27860LDAP Injection in Dovecot

CWE-90LDAP Injection18 documents7 sources
Severity
3.7LOWNVD
OSV5.3
EPSS
0.1%
top 82.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DovecotDebian DovecotOpen-xchange Gmbh OX Dovecot PRO
Timeline
PublishedMar 27
Latest updateMar 31

Description

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages4 packages

debiandebian/dovecot< dovecot 1:2.4.3+dfsg1-1 (sid)
Debiandovecot/dovecot< 1:2.4.1+dfsg1-6+deb13u4
Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

🔴Vulnerability Details

3
OSV
dovecot vulnerabilities2026-03-31
GHSA
GHSA-3322-wpc2-p4m7: If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication2026-03-27
OSV
CVE-2026-27860: If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication2026-03-27

📋Vendor Advisories

3
Ubuntu
Dovecot vulnerabilities2026-03-31
Red Hat
dovecot: Dovecot: Authentication bypass and information disclosure via LDAP filter injection2026-03-27
Debian
CVE-2026-27860: dovecot - If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter ...2026

🕵️Threat Intelligence

11
Wiz
CVE-2026-27858 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-0394 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27856 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-27855 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-59032 Impact, Exploitability, and Mitigation Steps | Wiz