2476465 – (CVE-2026-40020) CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command injection

Bug 2476465 (CVE-2026-40020) - CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command injection

Summary: CVE-2026-40020 dovecot: dovecot: Denial of Service via IMAP SETACL command in...

Keywords:
Status:	NEW
Alias:	CVE-2026-40020
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2479587 2479589 2479588
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-12 14:01 UTC by OSIDB Bzimport
Modified:	2026-05-18 14:57 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-12 14:01:32 UTC

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.

Note You need to log in before you can comment on or make changes to this bug.