Both the doveadm-exec man page and the online manual specify that it can be used to execute commands from Dovecot's libexec_dir (which sounds like an implicit security boundary). I recently ran across a situation where doveadm-exec was whitelisted in sudoers to be run as root. I realized it was possible to do a directory traversal and run an arbitrary binary as root.
``` $ sudo doveadm exec ../../../bin/bash
``` I discovered this on Ubuntu 20.04 LTS with Dovecot 184.108.40.206 (3c910f64b).
In case doveadm is run under sudo, it would allow an adversary to execute arbitrary binaries as root.