CVE-2026-27851 Open-Xchange GmbH CVE debrief

Who should care

Organizations running Dovecot mail servers, particularly those using SQL or LDAP backends for authentication and user lookups. Security teams responsible for mail infrastructure, identity management administrators, and DevSecOps engineers maintaining Dovecot deployments should prioritize assessment and patching.

Technical summary

The vulnerability stems from improper propagation of the `safe` filter status during variable expansion in Dovecot's string processing. When `safe` is applied to a variable expansion, the implementation fails to properly reset the safety context for subsequent pipeline operations on the same string. This causes downstream filters to incorrectly treat potentially attacker-controlled data as safe, bypassing escaping mechanisms. In authentication contexts where Dovecot interacts with SQL databases or LDAP directories, this can result in injection attacks if user input reaches these backends through affected string processing paths.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Dovecot to version 2.4.4 or later, or Dovecot Pro to version 3.1.5 or later
• Until patched, avoid using the `safe` filter with variable expansion in Dovecot configurations
• Review authentication-related configurations for potential SQL or LDAP injection vectors
• Monitor authentication logs for anomalous patterns that may indicate injection attempts
• Apply principle of least privilege to database and directory service connections used by Dovecot

Evidence notes

CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. CWE-235 (Improper Handling of Extra Parameters) identified as secondary weakness. Affected product versions confirmed through CPE criteria in NVD data.

Official resources