Cyber Resilience

CVE-2026-24031

HighUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0029 21.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24031 is a high-severity SQL Injection (CWE-89) vulnerability in Dovecot Dovecot. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24031 is a vulnerability in Dovecot's SQL-based authentication mechanism that can be bypassed if an administrator clears the auth_username_chars configuration setting. This issue, classified under CWE-89 (SQL Injection), affects Dovecot installations using SQL authentication where the specified configuration change has been applied. Published on 2026-03-27 with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), it enables unauthorized access and reconnaissance against affected mail servers.

Remote attackers without privileges can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation allows bypassing authentication for any user account and performing user enumeration, potentially granting attackers high-level confidentiality and integrity impacts, such as accessing user mailboxes, alongside low availability disruption.

The Open-Xchange Dovecot security advisory (oxdc-adv-2026-0001.json) recommends not clearing the auth_username_chars setting as the primary mitigation. If reconfiguration is not feasible, administrators should install the latest fixed version of Dovecot. No publicly available exploits are known at this time.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available…

more

exploits are known.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing Dovecot mail server auth mechanism directly enables remote authentication bypass and account access without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

dovecot
dovecot
≤ 2.4.3
open-xchange
dovecot
≤ 3.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of secure configuration settings like retaining auth_username_chars to directly prevent the SQL authentication bypass in Dovecot.

prevent

Requires timely installation of software patches, aligning with the recommendation to deploy the latest fixed Dovecot version to remediate the vulnerability.

prevent

Enforces validation of information inputs to the authentication mechanism, mitigating the SQL injection (CWE-89) that enables user enumeration and bypass when auth_username_chars is cleared.

References