{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27858", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-02-24T08:46:09.374Z", "datePublished": "2026-03-27T08:10:21.424Z", "dateUpdated": "2026-03-27T12:37:09.762Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "2.3.0", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "3.1.0", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "2.4.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.\r\n Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:31.126Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8818", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T12:36:26.526829Z", "id": "CVE-2026-27858", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T12:37:09.762Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.\r\n Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known."}], "id": "CVE-2026-27858", "lastModified": "2026-03-27T09:16:20.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:20.073", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T09:36:22.290248+00:00", "value": {"mitigation_remediation": ["Install the vendor\u2011supplied patch or updated version that addresses CVE\u20112026\u201127858", "Restrict or firewall access to the managesieve protocol from untrusted networks", "If a patch is not immediately available, consider disabling the managesieve service or enforcing strict access controls"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via excessive memory allocation in managesieve protocol"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Open\u2011Xchange GmbH\u2019s OX Dovecot Pro. No specific version information is provided in the CNA data, so users should verify whether their deployment includes the impacted managesieve implementation.", "description_and_impact": "This vulnerability allows an attacker to send a specially crafted message before authenticating to the managesieve service, causing the server to allocate an excessive amount of memory. The result is a denial\u2011of\u2011service condition, either by exhausting system resources or by crashing the managesieve\u2011login process. The weakness exemplifies uncontrolled resource consumption (CWE\u2011400).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. No EPSS data or KEV listing is available, and no public exploits are known. Nevertheless, an attacker only needs to send a crafted message over the network before authentication, making the threat vector remote and potentially reachable from any host with connectivity to the managesieve service."}}}}, "created": "2026-03-27T09:45:43.837788+00:00", "title": "Memory Allocation Denial of Service via Crafted Managesieve Message", "updated": "2026-03-27T09:45:43.837816+00:00", "vendors": []}