CVE-2026-40020 LOW

CVE-2026-40020

Vendor Open-Xchange Gmbh
Product OX Dovecot Pro
Weakness CWE-284
Published May 12, 2026
Last update May 12, 2026

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated