A flaw in the authentication cache implementation allows users to access other users' emails in dovecot 2.4. Note that authentication cache is not enabled by default. The bug was introduced with dovecot 2.4, specifically the renaming of configuration variables (%u to %{user}), 2.3 is not affected. Reproducible: Always Steps to Reproduce: 1. Configure authentication cache. 2. Access email. Actual Results: Access to other users' emails. Expected Results: Access only to your own emails. Additional Information: CVE-2025-30189 has been assigned but not yet published. Debian has documented this in bugs and security advisories: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115474 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115964 https://security-tracker.debian.org/tracker/CVE-2025-30189 The bug was fixed on August 1, 2025, but somehow has not made it into upstream release: https://github.com/dovecot/core/commit/a70ce7d3e2f983979e971414c5892c4e30197231
The same bug in Ubuntu has been fixed. https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2126984
FEDORA-2025-d5eb72768a (dovecot-2.4.1-6.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d5eb72768a
FEDORA-2025-d5eb72768a (dovecot-2.4.1-6.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.