CVE-2026-33603

Published: Mag 12, 2026 Last Modified: Mag 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,8

Source: [email protected]

Attack Vector: adjacent_network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

Improper Control of Resource Identifiers ('Resource Injection')

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Application Data Modify Application Data Read Files Or Directories Modify Files Or Directories

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://documentation.open-xchange.com/dovecot/security/adv…

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/ox…

CVE-2026-33603

Description

Improper Control of Resource Identifiers ('Resource Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter