CVE-2026-27860

If authusernamechars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out authusernamechars, or install fixed version. No publicly available exploits are known.

Database specific

{
    "cna_assigner": "OX",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "3.1.0"
                },
                {
                    "last_affected": "2.4.0"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-90"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27860.json"
}

References

Affected packages

Git / github.com/dovecot/core

Affected ranges

Type

GIT

Repo

https://github.com/dovecot/core

Events

Introduced

Fixed

c1b22ef978ca72999e254b2f3964b3d32d1a4979

Database specific

{
    "cpe": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.3"
        }
    ]
}

Affected versions

1.*

1.1.alpha1

1.1.alpha2

1.1.alpha4

1.1.alpha5

1.1.alpha6

1.1.beta1

1.1.beta10

1.1.beta11

1.1.beta12

1.1.beta13

1.1.beta14

1.1.beta16

1.1.beta2

1.1.beta3

1.1.beta4

1.1.beta5

1.1.beta6

1.1.beta8

1.1.beta9

1.1.rc1

1.1.rc2

1.1.rc3

1.2.alpha1

1.2.alpha2

1.2.alpha3

1.2.alpha4

1.2.alpha5

1.2.beta1

1.2.beta2

1.2.beta3

1.2.beta4

1.2.rc1

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.alpha1

2.0.alpha2

2.0.alpha3

2.0.beta1

2.0.beta2

2.0.beta3

2.0.beta4

2.0.beta5

2.0.beta6

2.0.rc1

2.0.rc2

2.0.rc3

2.0.rc4

2.0.rc5

2.0.rc6

2.1.alpha1

2.1.alpha2

2.1.beta1

2.1.rc1

2.1.rc2

2.1.rc3

2.1.rc4

2.1.rc5

2.1.rc6

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.13.rc1

2.2.14

2.2.14.rc1

2.2.15

2.2.16

2.2.16.rc1

2.2.17

2.2.17.rc1

2.2.17.rc2

2.2.18

2.2.19

2.2.19.rc1

2.2.19.rc2

2.2.2

2.2.20

2.2.20.rc1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.alpha1

2.2.beta1

2.2.beta2

2.2.rc1

2.2.rc2

2.2.rc3

2.2.rc4

2.2.rc5

2.2.rc6

2.2.rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27860.json"