CVE-2026-27851
Summary
| CVE | CVE-2026-27851 |
|---|---|
| State | PUBLISHED |
| Assigner | OX |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-12 14:16:56 UTC |
| Updated | 2026-07-10 12:16:36 UTC |
| Description | When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.004060000 probability, percentile 0.326740000 (date 2026-07-13)
Problem Types: CWE-235 | CWE-89 | CWE-235 Improper Handling of Extra Parameters | CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Dovecot | Dovecot | All | All | All | All |
| Application | Open-xchange | Dovecot | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Open-Xchange GmbH | OX Dovecot Pro | affected 3.1.4 semver | Not specified |
| CNA | Open-Xchange GmbH | OX Dovecot Pro | affected 2.4.3 semver | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27851.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-27851 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json | [email protected] | documentation.open-xchange.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-12T14:01:35.826Z | Reported to Red Hat. |
| ADP | 2026-05-12T13:28:43.846Z | Made public. |
Workarounds
ADP: To mitigate this issue, avoid using the 'safe filter' feature in Dovecot configurations that involve variable expansion. Administrators should review Dovecot configuration files, typically found in `/etc/dovecot/conf.d/`, to identify and disable or modify any configurations that utilize the `safe filter` with variable expansion. A restart of the Dovecot service is necessary for these changes to take effect and may impact services relying on this feature.