Strix
26.1K

CVE-2026-40016

MEDIUMCVSS 6.5/10EPSS 0.34%

Last modified

CVE-2026-40016 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. EPSS estimates a 0.34% chance of exploitation in the next 30 days.

Description

Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.34%

25.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
DovecotDovecot< 2.4.4
Open-XchangeDovecot< 3.1.5

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-40016?
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed version, or alternatively prevent direct access to Sieve scripts via ManageSieve or local access. No publicly available exploits are known.
How severe is CVE-2026-40016?
CVE-2026-40016 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.34% probability of exploitation in the next 30 days.
How do I fix CVE-2026-40016?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-40016?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST