Primary

Context

OX Dovecot Improper Control of Resource Identifiers Vulnerability Allowing Man-in-the-Middle Eavesdropping

Vulnerability

Patched

A vulnerability exists in OX Dovecot Pro and OX Dovecot CE that allows an attacker to manipulate SCRAM TLS channel binding by using a specially crafted base64 exchange between Dovecot and the client. This exploitation requires the attacker to be positioned between the Dovecot server and the client, effectively acting as a man-in-the-middle. If successful, the attacker can eavesdrop on the communications between Dovecot and the client.

Impact

Exploitation of this vulnerability allows for man-in-the-middle eavesdropping on the communication between Dovecot and the client.

Remediation

Users are advised to upgrade to OX Dovecot Pro 3.1.5 or OX Dovecot CE 2.4.4.

Added: May 12, 2026, 2:30 PM

Updated: May 12, 2026, 2:30 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

4.8

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

5.0

exploitability

4.8

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OX Dovecot Improper Control of Resource Identifiers Vulnerability Allowing Man-in-the-Middle Eavesdropping

Vulnerability

Impact

Remediation

Affected Products

Open-Xchange Dovecot Pro

Open-Xchange Dovecot CE

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating