CVE-2026-40016 MEDIUM

CVE-2026-40016

Vendor Open-Xchange Gmbh
Product OX Dovecot Pro
Weakness CWE-400
Published May 12, 2026
Last update May 12, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

04Related CVE