{"id":"USN-8365-1","summary":"dovecot vulnerabilities","details":"It was discovered that Dovecot incorrectly treated some variable expansion\npipelines as safe in authentication filters. An attacker could possibly use\nthis issue to perform SQL or LDAP injection attacks. This issue only\naffected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-27851)\n\nIt was discovered that Dovecot incorrectly verified SCRAM TLS channel\nbinding in certain base64 exchanges. A remote attacker could possibly use\nthis issue to obtain sensitive information in a machine-in-the-middle\nattack. (CVE-2026-33603)\n\nIt was discovered that Dovecot incorrectly enforced Sieve script CPU\nlimits. An attacker could possibly use this issue to cause Dovecot to use\nexcessive resources, leading to a denial of service. (CVE-2026-40016)\n\nIt was discovered that Dovecot incorrectly handled certain IMAP SETACL\ncommands. An attacker could possibly use this issue to spam folders to\nother users. (CVE-2026-40020)\n\nIt was discovered that Dovecot incorrectly handled excessive IMAP bracing.\nAn attacker could possibly use this issue to cause Dovecot to use excessive\nresources, leading to a denial of service. (CVE-2026-42006)","modified":"2026-06-30T18:16:45.062183426Z","published":"2026-06-02T12:42:17Z","related":["UBUNTU-CVE-2026-27851","UBUNTU-CVE-2026-33603","UBUNTU-CVE-2026-40016","UBUNTU-CVE-2026-40020","UBUNTU-CVE-2026-42006"],"upstream":["UBUNTU-CVE-2026-27851","UBUNTU-CVE-2026-33603","UBUNTU-CVE-2026-40016","UBUNTU-CVE-2026-40020","UBUNTU-CVE-2026-42006"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8365-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-27851"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33603"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40016"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40020"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42006"}],"affected":[{"package":{"name":"dovecot","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/dovecot?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.3.16+dfsg1-3ubuntu2.9"}]}],"versions":["1:2.3.13+dfsg1-1ubuntu3","1:2.3.16+dfsg1-3ubuntu1","1:2.3.16+dfsg1-3ubuntu2","1:2.3.16+dfsg1-3ubuntu2.1","1:2.3.16+dfsg1-3ubuntu2.2","1:2.3.16+dfsg1-3ubuntu2.4","1:2.3.16+dfsg1-3ubuntu2.6","1:2.3.16+dfsg1-3ubuntu2.7","1:2.3.16+dfsg1-3ubuntu2.8"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"dovecot-auth-lua","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-core","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-gssapi","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-imapd","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_version":"1:2.3.16+dfsg1-3ubuntu2.9","binary_name":"dovecot-ldap"},{"binary_name":"dovecot-lmtpd","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-lucene","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-managesieved","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-mysql","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_version":"1:2.3.16+dfsg1-3ubuntu2.9","binary_name":"dovecot-pgsql"},{"binary_version":"1:2.3.16+dfsg1-3ubuntu2.9","binary_name":"dovecot-pop3d"},{"binary_name":"dovecot-sieve","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-solr","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-sqlite","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"},{"binary_name":"dovecot-submissiond","binary_version":"1:2.3.16+dfsg1-3ubuntu2.9"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-33603"},{"id":"CVE-2026-40016","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-40020","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42006","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8365-1.json"}},{"package":{"name":"dovecot","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/dovecot?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.3.21+dfsg1-2ubuntu6.5"}]}],"versions":["1:2.3.20+dfsg1-1ubuntu3","1:2.3.21+dfsg1-2ubuntu1","1:2.3.21+dfsg1-2ubuntu2","1:2.3.21+dfsg1-2ubuntu4","1:2.3.21+dfsg1-2ubuntu5","1:2.3.21+dfsg1-2ubuntu6","1:2.3.21+dfsg1-2ubuntu6.1","1:2.3.21+dfsg1-2ubuntu6.2","1:2.3.21+dfsg1-2ubuntu6.3","1:2.3.21+dfsg1-2ubuntu6.4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"dovecot-auth-lua","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-core"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-gssapi"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-imapd"},{"binary_name":"dovecot-ldap","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_name":"dovecot-lmtpd","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_name":"dovecot-managesieved","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-mysql"},{"binary_name":"dovecot-pgsql","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-pop3d"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-sieve"},{"binary_name":"dovecot-solr","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"},{"binary_version":"1:2.3.21+dfsg1-2ubuntu6.5","binary_name":"dovecot-sqlite"},{"binary_name":"dovecot-submissiond","binary_version":"1:2.3.21+dfsg1-2ubuntu6.5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8365-1.json","cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[{"id":"CVE-2026-33603","severity":[{"score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-40016","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-40020"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-42006"}]}}},{"package":{"name":"dovecot","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/dovecot?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.4.1+dfsg1-5ubuntu4.2"}]}],"versions":["1:2.3.21.1+dfsg1-1ubuntu2","1:2.4.1+dfsg1-5ubuntu1","1:2.4.1+dfsg1-5ubuntu3","1:2.4.1+dfsg1-5ubuntu4","1:2.4.1+dfsg1-5ubuntu4.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-auth-lua"},{"binary_name":"dovecot-core","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-flatcurve"},{"binary_name":"dovecot-gssapi","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_name":"dovecot-imapd","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-ldap"},{"binary_name":"dovecot-lmtpd","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_name":"dovecot-managesieved","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-mysql"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-pgsql"},{"binary_name":"dovecot-pop3d","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-sieve"},{"binary_name":"dovecot-solr","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_name":"dovecot-sqlite","binary_version":"1:2.4.1+dfsg1-5ubuntu4.2"},{"binary_version":"1:2.4.1+dfsg1-5ubuntu4.2","binary_name":"dovecot-submissiond"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"id":"CVE-2026-27851","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-33603","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-40016","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-40020","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-42006","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8365-1.json"}},{"package":{"name":"dovecot","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/dovecot?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:2.4.2+dfsg1-3ubuntu2.1"}]}],"versions":["1:2.4.1+dfsg1-5ubuntu4","1:2.4.1+dfsg1-5ubuntu5","1:2.4.2+dfsg1-3ubuntu1","1:2.4.2+dfsg1-3ubuntu2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"dovecot-auth-lua","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_version":"1:2.4.2+dfsg1-3ubuntu2.1","binary_name":"dovecot-core"},{"binary_name":"dovecot-flatcurve","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-gssapi","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-imapd","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-ldap","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_version":"1:2.4.2+dfsg1-3ubuntu2.1","binary_name":"dovecot-lmtpd"},{"binary_version":"1:2.4.2+dfsg1-3ubuntu2.1","binary_name":"dovecot-managesieved"},{"binary_name":"dovecot-mysql","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_version":"1:2.4.2+dfsg1-3ubuntu2.1","binary_name":"dovecot-pgsql"},{"binary_version":"1:2.4.2+dfsg1-3ubuntu2.1","binary_name":"dovecot-pop3d"},{"binary_name":"dovecot-sieve","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-solr","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-sqlite","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"},{"binary_name":"dovecot-submissiond","binary_version":"1:2.4.2+dfsg1-3ubuntu2.1"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:26.04:LTS","cves":[{"id":"CVE-2026-27851","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-33603","severity":[{"score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2026-40016"},{"id":"CVE-2026-40020","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2026-42006","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8365-1.json"}}],"schema_version":"1.7.5"}