Input Validation Flaw in Dovecot by Open-Xchange
CVE-2026-27851

7.4HIGH

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-27851?

An input validation flaw in Dovecot when using the safe filter with variable expansion allows subsequent pipelines on the same string to be misinterpreted as safe. This misconfiguration may result in the potential unescaping of unsafe data, leading to SQL and LDAP injection vulnerabilities during authentication processes. Users are advised to refrain from using the safe filter until a patch is applied, as no publicly available exploits are currently known.

Affected Version(s)

OX Dovecot Pro 0 <= 3.1.4

OX Dovecot Pro 0 <= 2.4.3

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27851 Data

JSON