Man-in-the-Middle Security Flaw in Dovecot by Open-Xchange
CVE-2026-33603

6.8MEDIUM

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-33603?

An attacker can exploit a vulnerability in Dovecot by intercepting and manipulating the base64 data exchanged during SCRAM TLS channel binding. This requires the attacker to position themselves between the Dovecot server and the client connection. Successfully executing this attack allows the attacker to eavesdrop on communications, potentially leading to unauthorized access or data leaks. It is crucial to update to the patched version of Dovecot to mitigate this risk, as currently, no public exploits have been reported.

Affected Version(s)

OX Dovecot Pro 0 <= 3.1.0

OX Dovecot Pro 0 <= 2.4.0

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33603 Data

JSON