wid-sec-w-2026-0891 · Published 2026-03-26 · View on BSI CERT-Bund ↗

Dovecot: Multiple Vulnerabilities

CVSS 7.7 HIGH

Risk Summary

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

CVEs (12)

CVE-2025-30189 CVE-2025-59028 CVE-2025-59032 CVE-2026-24031 CVE-2026-27856 CVE-2026-27858 CVE-2026-27859 CVE-2026-27860 CVE-2026-0394 CVE-2026-27855 CVE-2025-59031 CVE-2026-27857

Affected Vendors

Debian Open Source SUSE Ubuntu

Affected Products (4)

Open Source · Dovecot <2.4.0

Open Source · Dovecot 2.4.0

Open Source · Dovecot <2.4.3

Open Source · Dovecot 2.4.3

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more