Medium severity6.8NVD Advisory· Published May 12, 2026· Updated May 12, 2026

CVE-2026-33603

Description

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

Affected products

Dovecot (software)/Dovecotllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.jsonnvd

News mentions

Debian 13.5 point release lands with security fixes, bug patches
Help Net Security · May 17, 2026

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000