CVE-2026-0394 is a path traversal vulnerability affecting Open-Xchange GmbH's OX Dovecot Pro mail server software. The issue arises when the software is configured to use per-domain passwd files that are stored one directory level above /etc, or when the allowed characters in domain names include slashes. In such configurations, an attacker can exploit the pathname limitation flaw to traverse directories and access files outside the intended restricted directory. Specifically, if the domain component is a directory partial, the software may inadvertently read files such as /etc/passwd or other files ending with 'passwd'. Since these files may contain password hashes or user information, this can lead to unauthorized authentication or cause system users to appear as valid mail users unexpectedly. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No public exploits are currently known, but the risk remains significant for affected deployments. Mitigation involves upgrading to a fixed version of OX Dovecot Pro, switching to an authentication scheme that does not rely on per-domain passwd file paths, or ensuring that passwd files are stored in a secure directory such as /etc/dovecot/auth/%d to prevent path traversal. This vulnerability highlights the importance of strict pathname validation and secure configuration of authentication files in mail server software.

The primary impact of CVE-2026-0394 is unauthorized disclosure of sensitive system files, notably /etc/passwd, which can contain user account information and password hashes. This exposure can lead to unauthorized authentication bypass or privilege escalation if attackers use the leaked data to impersonate users or gain access to mail services. Additionally, the vulnerability can cause system users to be mistakenly recognized as valid mail users, potentially allowing unauthorized access to mailboxes or services. While the vulnerability does not directly impact system integrity or availability, the confidentiality breach can facilitate further attacks, including lateral movement within an organization’s network. Organizations relying on OX Dovecot Pro with vulnerable configurations risk compromise of their email infrastructure, which is critical for business communications. The absence of known public exploits reduces immediate risk, but the ease of exploitation (no authentication or user interaction required) means attackers could develop exploits rapidly. The impact is particularly significant for organizations with sensitive or regulated data, as unauthorized access to email accounts can lead to data leaks, compliance violations, and reputational damage.

To mitigate CVE-2026-0394, organizations should first upgrade OX Dovecot Pro to the fixed version provided by Open-Xchange GmbH as soon as it becomes available. If upgrading is not immediately feasible, administrators should reconfigure the authentication scheme to avoid reliance on per-domain passwd files that are stored outside secure directories. Specifically, passwd files should be relocated to a directory that enforces strict pathname restrictions, such as /etc/dovecot/auth/%d, to prevent path traversal. Additionally, administrators should validate and sanitize domain name inputs to disallow slashes or other characters that could facilitate directory traversal. Implementing file system permissions that restrict access to passwd files can further reduce risk. Monitoring and logging access to authentication files can help detect suspicious activity. Regular security audits of mail server configurations and prompt application of vendor patches are essential. Finally, organizations should consider deploying network-level protections such as firewalls and intrusion detection systems to monitor and block anomalous access attempts targeting mail servers.