Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-12T13:28:46 dovecot: dovecot: Denial of Service via IMAP SETACL command injection 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-88

A flaw was found in dovecot. A remote attacker can exploit the Internet Message Access Protocol (IMAP) SETACL command to inject "anyone" permissions into a user's dovecot-acl file, even when the imap_acl_allow_anyone setting is disabled. This vulnerability allows an attacker to spam folders to all users, leading to a denial of service by disrupting normal email service. No unauthorized access to user data is gained.

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Enterprise Linux 10 Fix deferred dovecot Red Hat Enterprise Linux 6 Fix deferred dovecot Red Hat Enterprise Linux 8 Fix deferred dovecot Red Hat Enterprise Linux 9 Fix deferred dovecot https://www.cve.org/CVERecord?id=CVE-2026-40020 https://nvd.nist.gov/vuln/detail/CVE-2026-40020 https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json