{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27851","assignerOrgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","state":"PUBLISHED","assignerShortName":"OX","dateReserved":"2026-02-24T08:46:09.372Z","datePublished":"2026-05-12T13:28:43.846Z","dateUpdated":"2026-06-30T12:08:04.975Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["core"],"product":"OX Dovecot Pro","vendor":"Open-Xchange GmbH","versions":[{"lessThanOrEqual":"3.1.4","status":"affected","version":"0","versionType":"semver"},{"lessThanOrEqual":"2.4.3","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-235","description":"Improper Handling of Extra Parameters","lang":"en","type":"cwe"}]}],"providerMetadata":{"orgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","shortName":"OX","dateUpdated":"2026-05-12T13:38:59.967Z"},"references":[{"tags":["vendor-advisory"],"url":"https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json"}],"source":{"defect":"DOV-8967","discovery":"EXTERNAL"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-12T15:06:27.723154Z","id":"CVE-2026-27851","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-12T15:06:35.962Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-05-12T13:28:43.846Z","descriptions":[{"lang":"en","value":"A flaw was found in Dovecot. When the safe filter is used with variable expansion, subsequent pipelines on the same string are incorrectly interpreted as safe, allowing unsafe data to be unescaped. This can enable SQL (Structured Query Language) or LDAP (Lightweight Directory Access Protocol) injection attacks when used in authentication, potentially leading to unauthorized access or information disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-27851"},{"name":"RHBZ#2476471","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2476471"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27851.json"}],"timeline":[{"lang":"en","time":"2026-05-12T14:01:35.826Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-12T13:28:43.846Z","value":"Made public."}],"title":"dovecot: Dovecot: SQL/LDAP injection via incorrect safe filter interpretation with variable expansion","workarounds":[{"lang":"en","value":"To mitigate this issue, avoid using the 'safe filter' feature in Dovecot configurations that involve variable expansion.\n\nAdministrators should review Dovecot configuration files, typically found in `/etc/dovecot/conf.d/`, to identify and disable or modify any configurations that utilize the `safe filter` with variable expansion. \nA restart of the Dovecot service is necessary for these changes to take effect and may impact services relying on this feature."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:04.975Z"}}]}}