CVE-2026-40020 Open-Xchange GmbH CVE debrief

Who should care

Organizations running Dovecot mail servers with IMAP ACL functionality enabled, particularly those relying on imap_acl_allow_anyone=no to restrict folder sharing. Security teams should prioritize patching during routine maintenance windows given the LOW severity and requirement for authenticated access.

Technical summary

The vulnerability exists in Dovecot's IMAP ACL implementation. When an authenticated user issues a SETACL command, the server fails to properly enforce the imap_acl_allow_anyone=no restriction, allowing the 'anyone' identifier to be written to the dovecot-acl file. This causes the affected folder to become visible to all users on the system. The issue requires authenticated IMAP access and high attack complexity (AC:H), with low privileges required (PR:L). The attack has no confidentiality or integrity impact, with low availability impact due to folder spam potential. Fixed versions implement proper validation of the 'anyone' identifier against the imap_acl_allow_anyone setting before writing ACL entries.

Defensive priority

routine

Recommended defensive actions

• Upgrade Dovecot to version 2.4.4 or later, or Dovecot Pro to version 3.1.5 or later.
• Verify imap_acl_allow_anyone configuration and review existing dovecot-acl files for unauthorized 'anyone' entries.
• Monitor IMAP logs for suspicious SETACL commands targeting shared folders.

Evidence notes

CVSS 3.1 score 3.1 (LOW) per NVD. Affected versions: Dovecot < 2.4.4, Dovecot Pro < 3.1.5 per CPE data. Vendor advisory confirms imap_acl_allow_anyone=no bypass via SETACL command injection. Impact limited to folder spamming, no privilege escalation.

Official resources