CVE-2026-0394

Name of the Vulnerable Software and Affected Versions Dovecot (affected versions not specified)

Description Dovecot is susceptible to a path traversal issue when configured to use per-domain passwd files. If these files are located one path component above /etc, or if a slash character is included in the allowed characters, an attacker could potentially read sensitive files like /etc/passwd. Accessing this file could lead to incorrect authentication or the appearance of system users as valid users when using a user database. No publicly available exploits are known.

Recommendations Upgrade to a fixed version. Alternatively, use a different authentication scheme that does not rely on paths. Ensure that the per-domain passwd files are located in a different directory, such as /etc/dovecot/auth/%d.