CVE-2026-24031
Published: 27 March 2026
Summary
CVE-2026-24031 is a high-severity SQL Injection (CWE-89) vulnerability in Dovecot Dovecot. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24031 is a vulnerability in Dovecot's SQL-based authentication mechanism that can be bypassed if an administrator clears the auth_username_chars configuration setting. This issue, classified under CWE-89 (SQL Injection), affects Dovecot installations using SQL authentication where the specified configuration change has been applied. Published on 2026-03-27 with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), it enables unauthorized access and reconnaissance against affected mail servers.
Remote attackers without privileges can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation allows bypassing authentication for any user account and performing user enumeration, potentially granting attackers high-level confidentiality and integrity impacts, such as accessing user mailboxes, alongside low availability disruption.
The Open-Xchange Dovecot security advisory (oxdc-adv-2026-0001.json) recommends not clearing the auth_username_chars setting as the primary mitigation. If reconfiguration is not feasible, administrators should install the latest fixed version of Dovecot. No publicly available exploits are known at this time.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16561
Vulnerability details
Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available…
more
exploits are known.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Dovecot mail server auth mechanism directly enables remote authentication bypass and account access without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates enforcement of secure configuration settings like retaining auth_username_chars to directly prevent the SQL authentication bypass in Dovecot.
Requires timely installation of software patches, aligning with the recommendation to deploy the latest fixed Dovecot version to remediate the vulnerability.
Enforces validation of information inputs to the authentication mechanism, mitigating the SQL injection (CWE-89) that enables user enumeration and bypass when auth_username_chars is cleared.