PatchSiren

Dovecot CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Dovecot CVE published 2026-05-12

CVE-2026-40016

CVE-2026-40016 is a Dovecot vulnerability where a malicious Sieve script can bypass configured CPU time limits by as much as 130 times the intended limit. The issue can be reached through ManageSieve or local script handling and can be used to degrade server performance. Public sources in this corpus do not report known exploits.

MEDIUM Dovecot CVE published 2026-05-12

CVE-2026-33603

CVE-2026-33603 affects Dovecot and can let a network-positioned attacker fake SCRAM TLS channel binding through a specially crafted base64 exchange. If the attacker can sit between the client and Dovecot connection, the result may be man-in-the-middle interception of communications. NVD records affected versions before 2.4.4 for Dovecot and before 3.1.5 for Dovecot Pro, with no public exploit known in the [truncated]

MEDIUM Dovecot CVE published 2017-02-17

CVE-2016-8652

CVE-2016-8652 is a remote denial-of-service issue in Dovecot's auth component when auth-policy is configured. According to the supplied NVD record, an attacker can cause a crash by aborting authentication before a username is set. The affected version range is Dovecot versions before 2.2.27.