{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27860", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-02-24T08:46:09.374Z", "datePublished": "2026-03-27T08:10:22.695Z", "dateUpdated": "2026-03-27T12:33:57.043Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "3.1.0", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "2.4.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-90", "description": "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:33.940Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8775", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T12:33:33.962683Z", "id": "CVE-2026-27860", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T12:33:57.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27860", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T12:33:33.962683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T12:33:42.647Z"}}], "cna": {"source": {"defect": "DOV-8775", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["core"], "product": "OX Dovecot Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.0"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-90", "description": "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:33.940Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27860", "state": "PUBLISHED", "dateUpdated": "2026-03-27T12:33:57.043Z", "dateReserved": "2026-02-24T08:46:09.374Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-03-27T08:10:22.695Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known."}], "id": "CVE-2026-27860", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:20.383", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dovecot: Dovecot: Authentication bypass and information disclosure via LDAP filter injection", "id": "2452176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452176"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-90", "details": ["If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.", "A flaw was found in Dovecot. A remote attacker could exploit this vulnerability by injecting malicious Lightweight Directory Access Protocol (LDAP) filters during the authentication process. This is possible if the `auth_username_chars` configuration setting is empty. Successful exploitation could allow the attacker to bypass authentication restrictions and gain unauthorized access to information about the LDAP directory structure."], "name": "CVE-2026-27860", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T08:10:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27860\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27860\nhttps://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OX Dovecot Pro", "source": "cna", "vendor": "Open-Xchange GmbH"}, "product": "ox_dovecot_pro", "vendor": "open-xchange"}], "analysis": {"en": {"generated_at": "2026-03-27T09:35:46.979194+00:00", "value": {"mitigation_remediation": ["Apply the latest fixed version of OX Dovecot Pro released by Open\u2011Xchange.", "If an update is not yet available, configure the server so that the auth_username_chars setting is not left empty.", "Verify that LDAP queries are properly sanitized and that authentication corresponds to the expected user.", "Monitor logs for anomalous LDAP requests that may indicate an attempted injection."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass and LDAP Structure Disclosure"}, "threat_synthesis": {"affected_systems": "Open\u2011Xchange GmbH\u2019s OX Dovecot Pro is the affected product. No specific vulnerable versions are listed in the advisory, so all releases that use the default or an empty auth_username_chars value are potentially impacted.", "description_and_impact": "Authentication credentials can be manipulated when the configuration parameter auth_username_chars is left empty. This allows an attacker to inject arbitrary LDAP filters into the authentication process, potentially bypassing access controls and revealing information about the LDAP directory. The weakness corresponds to CWE-90, which addresses LDAP Injection.", "risk_and_exploitability": "With a CVSS score of 3.7 the vulnerability is considered low severity. No public exploits are known and the EPSS score is unavailable, suggesting limited exploitation risk under current conditions. Since the vulnerability relies on a misconfiguration that allows LDAP filter injection, an attacker must have the ability to provide authentication credentials to the affected service. The CISA KEV list does not include this issue, indicating it has not yet been exploited in the wild."}}}}, "created": "2026-03-27T09:45:42.795969+00:00", "title": "LDAP Filter Injection in Open\u2011Xchange OX Dovecot Pro", "updated": "2026-03-30T07:02:11.577486+00:00", "vendors": ["open-xchange", "open-xchange$PRODUCT$ox_dovecot_pro"]}