CVE-2026-33603 MEDIUM

CVE-2026-33603

Vendor Open-Xchange Gmbh
Product OX Dovecot Pro
Weakness CWE-99
Published May 12, 2026
Last update May 12, 2026

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated