Ubuntu 26.04 Dovecot Critical Security Issues CVE-2026-27851 2026-8365-1

ubuntu

June 2, 2026

Several security issues were fixed in Dovecot.

Summary

Several security issues were fixed in Dovecot.

Software Description:

- dovecot: IMAP and POP3 email server

Details:

It was discovered that Dovecot incorrectly treated some variable expansion

pipelines as safe in authentication filters. An attacker could possibly use

this issue to perform SQL or LDAP injection attacks. This issue only

affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-27851)

It was discovered that Dovecot incorrectly verified SCRAM TLS channel

binding in certain base64 exchanges. A remote attacker could possibly use

this issue to obtain sensitive information in a machine-in-the-middle

attack. (CVE-2026-33603)

It was discovered that Dovecot incorrectly enforced Sieve script CPU

limits. An attacker could possibly use this issue to cause Dovecot to use

excessive resources, leading to a denial of service. (CVE-2026-40016)

It was discovered that Dovecot incorrectly handled certain IMAP SETACL

commands. An attacker could possibly use this issue to spam folders to

...

Read the Full Advisory

Topics Covered

security advisory denial of service SQL Injection critical Ubuntu Dovecot

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  dovecot-core                    1:2.4.2+dfsg1-3ubuntu2.1

Ubuntu 25.10
  dovecot-core                    1:2.4.1+dfsg1-5ubuntu4.2

Ubuntu 24.04 LTS
  dovecot-core                    1:2.3.21+dfsg1-2ubuntu6.5

Ubuntu 22.04 LTS
  dovecot-core                    1:2.3.16+dfsg1-3ubuntu2.9

In general, a standard system update will make all the necessary changes.