CVE-2026-40016 Dovecot CVE debrief

Who should care

Mail administrators and security teams running Dovecot or Open-Xchange Dovecot Pro, especially environments that allow users or services to upload or modify Sieve scripts through ManageSieve or local access.

Technical summary

NVD lists the issue as CVSS 3.1 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) with CWE-400. The vulnerable scope in the NVD CPE criteria includes Dovecot versions before 2.4.4 and Open-Xchange Dovecot Pro versions before 3.1.5. The flaw allows a malicious Sieve script to bypass CPU time enforcement by up to 130x, creating an availability risk rather than a confidentiality or integrity issue.

Defensive priority

Medium. The impact is availability-focused and the attack requires some level of access to Sieve script upload or local script handling, but it can materially degrade mail service performance if exposed.

Recommended defensive actions

• Upgrade Dovecot to 2.4.4 or later.
• Upgrade Open-Xchange Dovecot Pro to 3.1.5 or later.
• If you cannot upgrade immediately, prevent direct access to Sieve scripts via ManageSieve and restrict local script access to trusted administrators only.
• Review who can create or modify Sieve scripts and remove unnecessary privileges.
• Monitor mail server CPU usage and service latency for signs of script-driven resource exhaustion.

Evidence notes

This debrief is based on the supplied NVD record, its referenced vendor advisory, and the CVE record. The corpus states that a malicious Sieve script can bypass configured CPU time limits by up to 130x and that no publicly available exploits are known. NVD metadata lists the affected CPE ranges and CVSS vector, and the vendor advisory reference provides the remediation path.

Official resources