CVE-2026-40020: Improper Access Control in Open-Xchange GmbH OX Dovecot Pro
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
AI Analysis
Technical Summary
This vulnerability allows an attacker with limited privileges to manipulate access control lists by injecting the 'anyone' permission via the IMAP SETACL command in OX Dovecot Pro. Despite the configuration setting intended to prevent this (imap_acl_allow_anyone=no), the attacker can bypass it, causing folders to be spammed to all users. The impact is limited to spamming and does not include unauthorized data access or modification. The CVSS 3.1 score is 3.1 (low), reflecting the limited impact and the requirement for network access with low privileges and high attack complexity. No official patch or remediation level is provided in the available data, and no known exploits exist in the wild.
Potential Impact
The vulnerability allows attackers to spam folders to all users by injecting the 'anyone' permission into ACL files. There is no unauthorized data access or integrity compromise. The impact is limited to nuisance and potential disruption caused by spammed folders. No known exploitation in the wild has been reported.
Mitigation Recommendations
The vendor advisory does not specify an official patch or remediation level. Users should monitor vendor communications for updates and apply any forthcoming patches promptly. Since the vulnerability requires the IMAP SETACL command and specific conditions, restricting access to IMAP services and reviewing ACL configurations may reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-40020: Improper Access Control in Open-Xchange GmbH OX Dovecot Pro
Description
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability allows an attacker with limited privileges to manipulate access control lists by injecting the 'anyone' permission via the IMAP SETACL command in OX Dovecot Pro. Despite the configuration setting intended to prevent this (imap_acl_allow_anyone=no), the attacker can bypass it, causing folders to be spammed to all users. The impact is limited to spamming and does not include unauthorized data access or modification. The CVSS 3.1 score is 3.1 (low), reflecting the limited impact and the requirement for network access with low privileges and high attack complexity. No official patch or remediation level is provided in the available data, and no known exploits exist in the wild.
Potential Impact
The vulnerability allows attackers to spam folders to all users by injecting the 'anyone' permission into ACL files. There is no unauthorized data access or integrity compromise. The impact is limited to nuisance and potential disruption caused by spammed folders. No known exploitation in the wild has been reported.
Mitigation Recommendations
The vendor advisory does not specify an official patch or remediation level. Users should monitor vendor communications for updates and apply any forthcoming patches promptly. Since the vulnerability requires the IMAP SETACL command and specific conditions, restricting access to IMAP services and reviewing ACL configurations may reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- OX
- Date Reserved
- 2026-04-08T09:59:59.342Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0333e5cbff5d8610ef1d31
Added to database: 5/12/2026, 2:06:29 PM
Last enriched: 5/12/2026, 2:22:21 PM
Last updated: 5/13/2026, 4:57:53 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.