Platform
linux
Component
ox-dovecot-pro-managesieve
Fixed in
2.3.1
3.1.1
2.4.1
CVE-2026-27858 describes a memory exhaustion vulnerability in Dovecot Pro managesieve, impacting versions 0.0 through 3.1.0. An attacker can trigger this by sending a specially crafted message before authentication, leading to excessive memory allocation and potential denial of service. The vulnerability can render the managesieve-login process unavailable by repeatedly crashing it. A fixed version is recommended to resolve this issue.
This vulnerability allows an attacker to potentially disrupt email services by repeatedly crashing the managesieve-login process. The attacker does not need to be authenticated to trigger the memory exhaustion, making it a relatively easy attack to execute. Successful exploitation could lead to a denial of service, preventing legitimate users from accessing and managing their mailboxes via the managesieve protocol. While no public exploits are currently available, the ease of triggering the vulnerability raises concerns about potential future exploitation and the impact on email availability.
CVE-2026-27858 was published on 2026-03-27. Currently, no public proof-of-concept exploits are known. The EPSS score is pending evaluation. While no active campaigns have been reported, the ease of triggering the vulnerability suggests a potential for exploitation if a suitable exploit is developed.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27858 is to upgrade Dovecot Pro managesieve to a version that includes the fix. If immediate upgrading is not possible, restrict access to the managesieve protocol to trusted clients or networks. Consider implementing rate limiting on incoming managesieve connections to prevent an attacker from repeatedly sending malicious messages. Monitoring system memory usage can help detect potential exploitation attempts. After upgrading, confirm the fix by sending a crafted message (as described in the vulnerability report) and verifying that the managesieve-login process does not crash.
Update OX Dovecot Pro to a version later than 3.1.0 or implement access protection measures for the managesieve protocol. This will prevent attackers from sending malicious messages that consume large amounts of memory and cause the service to crash. Refer to the Open-Xchange documentation for more details on protection measures.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27858 is a HIGH severity vulnerability affecting Dovecot Pro managesieve versions 0.0 - 3.1.0. A crafted message can cause excessive memory allocation, potentially crashing the managesieve-login process.
If you are using Dovecot Pro managesieve versions 0.0 through 3.1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Dovecot Pro managesieve to a version that includes the patch. If upgrading is not immediately possible, restrict access to the managesieve protocol.
Currently, no public exploits are known, but the ease of triggering the vulnerability raises concerns about potential future exploitation.
Refer to the official Dovecot security advisories on the Dovecot website for the latest information and updates regarding CVE-2026-27858.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.