CVE-2026-27851

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dovecot:dovecot::::::::
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*

History

18 May 2026, 17:29

Type	Values Removed	Values Added
References	~~() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json -~~	() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json - Vendor Advisory
CPE		cpe:2.3:a:dovecot:dovecot:::::::: cpe:2.3:a:open-xchange:dovecot:::::pro:::*
First Time		Dovecot Dovecot dovecot Open-xchange Open-xchange dovecot

12 May 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 14:16

Updated : 2026-05-18 17:29

NVD link : CVE-2026-27851

Mitre link : CVE-2026-27851

CVE.ORG link : CVE-2026-27851

JSON object : View

Products Affected

dovecot

dovecot

open-xchange

dovecot

CWE

CWE-235

Improper Handling of Extra Parameters

{"id": "CVE-2026-27851", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@open-xchange.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-05-12T14:16:56.857", "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "tags": ["Vendor Advisory"], "source": "security@open-xchange.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@open-xchange.com", "description": [{"lang": "en", "value": "CWE-235"}]}], "descriptions": [{"lang": "en", "value": "When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known."}], "lastModified": "2026-05-18T17:29:09.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86CE1F3B-DF73-431A-9EC0-491E8969A187", "versionEndExcluding": "2.4.4"}, {"criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "28C2DD58-A4B0-4F2C-BC60-F30F380251BC", "versionEndExcluding": "3.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security@open-xchange.com"}