← Back to CVEs
CVE-2026-40016
MEDIUM5.3
Description
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredLOW
User InteractionNONE
Published5/12/2026
Last Modified5/12/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-400
References
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json(security@open-xchange.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.