CVE-2026-27860

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3

Description If the auth username chars setting is empty, an attacker can inject arbitrary LDAP filters into Dovecot's LDAP authentication process. This can bypass restrictions and allow probing of the LDAP structure. No publicly available exploits are known.

Recommendations Do not clear out the auth username chars setting. Install version 2.4.3 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-90

Related Identifiers

CVE-2026-27860

OPENSUSE-SU-2026:10442-1

OPENSUSE-SU-2026:20554-1

SUSE-SU-2026:21208-1

USN-8136-1

Affected Products

Dovecot

Linuxmint

Ubuntu

CVE-2026-27860

Weakness Enumeration

Related Identifiers

Affected Products

References · 46