Primary

Context

OX Dovecot Improper Access Control Vulnerability Allowing Spam of IMAP Folders

Vulnerability

Patched

A vulnerability exists in OX Dovecot Pro and OX Dovecot CE that allows an attacker to misuse the IMAP SETACL command. This manipulation injects the 'anyone' permission into a user's dovecot-acl file, disregarding the 'imap_acl_allow_anyone=no' setting. As a result, folders can be indiscriminately shared with all users, leading to potential spam. While this vulnerability does not grant any unauthorized access, it disrupts user experience by flooding them with unwanted folder notifications.

Impact

Exploitation of this vulnerability causes IMAP folders to be spammed to all users, without gaining any unexpected access.

Remediation

Users are advised to update to OX Dovecot Pro version 3.1.5 or OX Dovecot CE version 2.4.4.

Added: May 12, 2026, 2:28 PM

Updated: May 12, 2026, 2:28 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OX Dovecot Improper Access Control Vulnerability Allowing Spam of IMAP Folders

Vulnerability

Impact

Remediation

Affected Products

Open-Xchange Dovecot Pro

Open-Xchange Dovecot CE

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating