Low severity3.1NVD Advisory· Published May 12, 2026· Updated May 18, 2026
CVE-2026-40020
CVE-2026-40020
Description
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.
Affected products
6- osv-coords3 versionspkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot24&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/dovecot24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.4.4-1.1+ 2 more
- (no CPE)range: < 2.4.4-1.1
- (no CPE)range: < 2.4.4-160000.1.1
- (no CPE)range: < 2.4.4-160000.1.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.