IMAP Command Injection Flaw in Dovecot Mail Server by Open-Xchange
CVE-2026-40020

3.1LOW

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-40020?

A vulnerability has been identified in the Dovecot Mail Server, where an attacker can exploit the IMAP SETACL command to inject permissions to the user’s dovecot-acl file. This occurs even when the configuration setting imap_acl_allow_anyone is set to 'no'. The exploitation of this flaw results in the ability for attackers to spam folders to all users, which can lead to disruptions in email service usage. It is crucial to install patched versions to mitigate this risk, as there are no known public exploits at this time.

Affected Version(s)

OX Dovecot Pro 0 <= 2.3.0

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 8, 2026

CVE-2026-40020 Data

JSON