2476464 – (CVE-2026-33603) CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass

Bug 2476464 (CVE-2026-33603) - CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel binding bypass

Summary: CVE-2026-33603 dovecot: Dovecot: Information disclosure via SCRAM TLS channel...

Keywords:
Status:	NEW
Alias:	CVE-2026-33603
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2479583 2479584 2479585
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-12 14:01 UTC by OSIDB Bzimport
Modified:	2026-05-18 14:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-12 14:01:29 UTC

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

Note You need to log in before you can comment on or make changes to this bug.