CVE-2026-33603 Dovecot CVE debrief

Who should care

Dovecot administrators, mail platform operators, and security teams that rely on SCRAM authentication with TLS channel binding should review exposure and patch affected deployments.

Technical summary

The issue is described as a crafted base64 exchange between Dovecot and the client that can make SCRAM TLS channel binding appear valid. The attacker must already be able to position themselves between the two endpoints, which matches the CVSS network-adjacent attack vector (AV:A) and high complexity (AC:H). The confidentiality and integrity impact are high, while availability is not listed as impacted. The supplied metadata identifies vulnerable Dovecot versions before 2.4.4 and Dovecot Pro versions before 3.1.5.

Defensive priority

Medium to high for affected deployments: patch promptly if you run vulnerable Dovecot or Dovecot Pro versions, especially in environments that depend on SCRAM TLS channel binding.

Recommended defensive actions

• Upgrade Dovecot to version 2.4.4 or later.
• Upgrade Dovecot Pro to version 3.1.5 or later.
• Prioritize patching internet-facing or otherwise exposed mail authentication services.
• Review network paths and TLS termination points to reduce opportunities for man-in-the-middle positioning.
• Monitor for authentication anomalies and unexpected intermediary behavior around client-to-server sessions.

Evidence notes

The summary is based on the supplied CVE description, which states that a specially crafted base64 exchange can fake SCRAM TLS channel binding if the attacker can position between Dovecot and the client. NVD metadata in the source item lists vulnerable CPE ranges ending before Dovecot 2.4.4 and Dovecot Pro 3.1.5, and records CVSS 3.1 vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The source item also points to an Open-Xchange vendor advisory URL, but no additional advisory contents were provided in the corpus.

Official resources