High severity7.7NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026
CVE-2026-24031
CVE-2026-24031
Description
Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.
Affected products
7cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*+ 1 more
- cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*range: <3.1.4
- (no CPE)
- osv-coords4 versionspkg:rpm/opensuse/dovecot24&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot24&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/dovecot24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.4.3-160000.1.1+ 3 more
- (no CPE)range: < 2.4.3-160000.1.1
- (no CPE)range: < 2.4.3-1.1
- (no CPE)range: < 2.4.3-160000.1.1
- (no CPE)range: < 2.4.3-160000.1.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.