PT-2026-40028 · Dovecot · Dovecot
Published
2026-05-12
·
Updated
2026-06-02
·
CVE-2026-40020
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
dovecot versions prior to 2.4.4-1.1
Description
An attacker can use the IMAP SETACL command to inject the anyone permission into a user's dovecot-acl file, bypassing the
imap acl allow anyone=no configuration. This allows folders to be spammed to all users, although no unauthorized access to data is granted.Recommendations
Update to version 2.4.4-1.1.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dovecot