CVE-2026-40020

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dovecot:dovecot::::::::
	cpe:2.3:a:open-xchange:dovecot:::::pro:::*

History

18 May 2026, 17:36

Type	Values Removed	Values Added
First Time		Dovecot Dovecot dovecot Open-xchange Open-xchange dovecot
References	~~() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json -~~	() https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json - Vendor Advisory
CPE		cpe:2.3:a:dovecot:dovecot:::::::: cpe:2.3:a:open-xchange:dovecot:::::pro:::*
CWE		NVD-CWE-noinfo

12 May 2026, 14:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 14:17

Updated : 2026-05-18 17:36

NVD link : CVE-2026-40020

Mitre link : CVE-2026-40020

CVE.ORG link : CVE-2026-40020

JSON object : View

Products Affected

dovecot

dovecot

open-xchange

dovecot

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2026-40020", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@open-xchange.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-05-12T14:17:03.687", "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "tags": ["Vendor Advisory"], "source": "security@open-xchange.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@open-xchange.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known."}], "lastModified": "2026-05-18T17:36:04.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86CE1F3B-DF73-431A-9EC0-491E8969A187", "versionEndExcluding": "2.4.4"}, {"criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "28C2DD58-A4B0-4F2C-BC60-F30F380251BC", "versionEndExcluding": "3.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security@open-xchange.com"}