CVE-2026-33603: Improper Control of Resource Identifiers ('Resource Injection') in Open-Xchange GmbH OX Dovecot Pro
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
AI Analysis
Technical Summary
The vulnerability involves improper control of resource identifiers, specifically a 'Resource Injection' issue in OX Dovecot Pro. An attacker who can position themselves between the client and the Dovecot server can manipulate the base64 exchange used in SCRAM TLS channel binding to fake the binding. This manipulation enables the attacker to intercept and eavesdrop on communications as a man-in-the-middle proxy. The attack requires network-level access to intercept traffic. No known public exploits currently exist. The CVSS 3.1 vector indicates the attack requires adjacent network access, high attack complexity, no privileges, no user interaction, unchanged scope, and impacts confidentiality and integrity but not availability.
Potential Impact
Successful exploitation allows an attacker positioned between the client and server to eavesdrop on communications by faking SCRAM TLS channel binding, compromising confidentiality and integrity of the data exchanged. There is no impact on availability. No public exploits are known, which limits immediate risk. The attack requires network-level access to intercept traffic, which may limit exposure depending on deployment environment.
Mitigation Recommendations
The vendor advisory does not specify a remediation level or patch availability. Users should monitor Open-Xchange GmbH communications for a fixed version and apply it promptly once released. Until then, mitigating the ability of attackers to position themselves between client and server (e.g., through network segmentation or VPNs) may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-33603: Improper Control of Resource Identifiers ('Resource Injection') in Open-Xchange GmbH OX Dovecot Pro
Description
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability involves improper control of resource identifiers, specifically a 'Resource Injection' issue in OX Dovecot Pro. An attacker who can position themselves between the client and the Dovecot server can manipulate the base64 exchange used in SCRAM TLS channel binding to fake the binding. This manipulation enables the attacker to intercept and eavesdrop on communications as a man-in-the-middle proxy. The attack requires network-level access to intercept traffic. No known public exploits currently exist. The CVSS 3.1 vector indicates the attack requires adjacent network access, high attack complexity, no privileges, no user interaction, unchanged scope, and impacts confidentiality and integrity but not availability.
Potential Impact
Successful exploitation allows an attacker positioned between the client and server to eavesdrop on communications by faking SCRAM TLS channel binding, compromising confidentiality and integrity of the data exchanged. There is no impact on availability. No public exploits are known, which limits immediate risk. The attack requires network-level access to intercept traffic, which may limit exposure depending on deployment environment.
Mitigation Recommendations
The vendor advisory does not specify a remediation level or patch availability. Users should monitor Open-Xchange GmbH communications for a fixed version and apply it promptly once released. Until then, mitigating the ability of attackers to position themselves between client and server (e.g., through network segmentation or VPNs) may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- OX
- Date Reserved
- 2026-03-23T12:58:38.266Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0333e5cbff5d8610ef1d28
Added to database: 5/12/2026, 2:06:29 PM
Last enriched: 5/12/2026, 2:22:55 PM
Last updated: 5/13/2026, 4:42:13 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.