LDAP Injection Vulnerability in Dovecot by Open-Xchange
CVE-2026-27860

3.7LOW

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 27 March 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-27860?

An LDAP injection vulnerability exists in Dovecot's LDAP authentication process when the 'auth_username_chars' parameter is left empty. This flaw can potentially allow an attacker to inject arbitrary LDAP filters, leading to the bypassing of authentication restrictions. Consequently, this vulnerability could enable unauthorized probing of the LDAP structure, compromising the security of the environment. Users are advised to avoid clearing the 'auth_username_chars' parameter and to upgrade to the patched version to mitigate the risk.

Affected Version(s)

OX Dovecot Pro 0 <= 3.1.0

OX Dovecot Pro 0 <= 2.4.0

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27860 Data

JSON