CVE-2026-0394 — Vulnetix

CVE-2026-0394 PUBLISHED CVSS 5.300000190734863 MEDIUM

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.

EPSS 0.03% · 8.6th percentile

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.03%

8.6th percentile

Affected Products

Vendor	Product	Versions
dovecot	dovecot	0
Open-Xchange GmbH	OX Dovecot Pro	0, 0, 0
open-xchange	dovecot	0

Exploit Intelligence

CIRCL seen: CVE-2026-0394 (circl-sighting)
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json (circl)

Timeline

Mar 27, 2026 Coalition ESS Score
Mar 27, 2026 CVE Published
Mar 27, 2026 PoC Published
Mar 27, 2026 CVE Updated
Mar 29, 2026 Security Advisory
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-0394 advisory

Open in Interactive Console →