CVE-2026-33603

MEDIUM
Published May 12, 2026 Modified May 18, 2026 CWE-99

Description

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.

CVSS v3.1 Score

6.8
MEDIUM
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS — Exploit Prediction

0.0001
Probability of exploitation
0.01%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-99 CWE-99

Affected Products

Vendor Product
dovecot dovecot
open-xchange dovecot

References

Frequently Asked Questions

What is CVE-2026-33603? +
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known. It has a CVSS v3.1 base score of 6.8 (MEDIUM).
How severe is CVE-2026-33603? +
CVE-2026-33603 has a CVSS v3.1 score of 6.8 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-33603? +
CVE-2026-33603 affects products from dovecot, open-xchange, specifically: dovecot. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-33603? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-43491 9.8

A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which …
CVE-2025-0756 9.1

Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before …
CVE-2025-2410 9.1

Port manipulation vulnerabilities in ASPECT provide attackers with the ability to con-trol TCP/IP port access if session administrator credentials become …
CVE-2024-57971 9.1

DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at …
CVE-2024-5706 8.8

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it …
CVE-2023-6605 7.2

A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-33603 — free, no signup required.

Start Free Scan