2452173 – (CVE-2026-0394) CVE-2026-0394 dovecot: Dovecot: Information disclosure and authentication bypass via path traversal

Bug 2452173 (CVE-2026-0394) - CVE-2026-0394 dovecot: Dovecot: Information disclosure and authentication bypass via path traversal

Summary: CVE-2026-0394 dovecot: Dovecot: Information disclosure and authentication byp...

Keywords:
Status:	NEW
Alias:	CVE-2026-0394
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-27 09:02 UTC by OSIDB Bzimport
Modified:	2026-03-27 14:41 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-27 09:02:00 UTC

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users.  Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.

Note You need to log in before you can comment on or make changes to this bug.