Sieve Script Bypass Vulnerability in Dovecot by Open-Xchange
CVE-2026-40016

5.3MEDIUM

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-40016?

A vulnerability exists in the Dovecot email server related to the Sieve scripting feature. An attacker can exploit this vulnerability by uploading a malicious Sieve script through the ManageSieve service or locally. This compromise allows the attacker to bypass configured CPU time limitations, potentially increasing the server's CPU usage by up to 130 times beyond the defined limits. This exploitation can lead to significant degradation of server performance, affecting overall system stability. Users are encouraged to install the fixed version or to restrict direct access to Sieve scripts to mitigate this vulnerability.

Affected Version(s)

OX Dovecot Pro 0 <= 2.3.0

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 8, 2026

CVE-2026-40016 Data

JSON