Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This
vulnerability allows bypassing authentication for any user and user enumeration. Do not clear
auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits
are known. (CVE-2026-24031)
- When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all
active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to
break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance
penalty on large deployments). No publicly available exploits are known. (CVE-2025-59028)
- Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-
style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the
system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead,
use something else like FTS tika. No publicly available exploits are known. (CVE-2025-59031)
- Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is
enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is
valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication
happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are
secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
(CVE-2026-27855)
Solution
Update the dovecot library and its related packages to version 2.4.3-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 3/27/2026