CVE-2026-0394

Publication date 27 March 2026

Last updated 27 March 2026

Ubuntu priority

Description

auth: Path traversal in passwd-file passdb using `%d` (domain) escapes base directory and opens `/etc/passwd`Pre-auth path traversal in passwd-file passdb using `%d` (domain) escapes base directory and opens `/etc/passwd`. When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. No publicly available exploits are known.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dovecot	25.10 questing	Not affected
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
dovecot	Upstream: c4fbf9a Upstream: 7fb773c

References

Other references

https://www.cve.org/CVERecord?id=CVE-2026-0394