CVE-2026-27851

Description

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Open-Xchange (具体受影响版本请参考官方安全公告 OXDC-ADV-2026-0002)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC demonstrating the safe filter bypass vulnerability
# This simulates how the 'safe' filter status propagates incorrectly

def vulnerable_template_render(user_input):
    # Simulating variable expansion in the template engine
    expanded_string = f"search_filter=(uid={user_input})"

    # Pipeline Step 1: The 'safe' filter is applied
    # In the vulnerable version, this marks the entire object as 'safe'
    safe_marked_data = apply_safe_filter(expanded_string)

    # Pipeline Step 2: Subsequent filter intended for LDAP escaping
    # Due to the bug, this filter sees the 'safe' flag and skips escaping
    final_output = apply_ldap_escape_filter(safe_marked_data)

    return final_output

def apply_safe_filter(data):
    # Buggy behavior: Marks data as safe, preventing future escaping
    data.is_safe = True
    return data

def apply_ldap_escape_filter(data):
    # Check internal safety flag (simulated)
    if getattr(data, 'is_safe', False):
        # BUG: If marked safe, return raw data without escaping
        return str(data)
    
    # Normal behavior: Escape special characters
    return str(data).replace("(", "\\(").replace(")", "\\)")

# Malicious payload to break LDAP syntax
payload = "*))(|(password=*))"
result = vulnerable_template_render(payload)
print(f"Constructed LDAP Query: {result}")
# Output will be unescaped, leading to authentication bypass or data exfiltration

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27851
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27851
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27851/
[4] VulDB https://vuldb.com/cve/CVE-2026-27851
[5] https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27851", "sourceIdentifier": "[email protected]", "published": "2026-05-12T14:16:56.857", "lastModified": "2026-05-12T15:08:22.857", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-235"}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "source": "[email protected]"}]}}