Security advisory

OX App Suite releases 7.10.6-ucs4 to 7.10.6-ucs11 shipping the Debian integration package univention-mail-dovecot-ox versions 4.0.1-3 up to and including 4.0.1-5 as well as 6.0.1 expose a security vulnerability in the access control for functional mail accounts (CVE-TEMP-2026-1 → CVE-2026-35550).

This affects UCS 5.0-x and UCS 5.2-x up to and excluding the upcoming release 5.2-5.
Nubus-for-K8s is not affected.

The severity of this issue:
High - CVSS Base Score 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

Long-term fix

The Debian integration package univention-mail-dovecot-ox will be updated and shipped via the repository referenced by OX App Suite release 7.10.6-ucs11. Thus, a simple univention-upgrade will be enough to install the updated Debian package. This immediately closes the vulnerability. The service dovecot will be restarted during the update.

Fixed versions

Program component: univention-mail-dovecot-ox
Reference: CVE-TEMP-2026-1 (official CVE allocation pending with MITRE)
Fixed versions: 4.0.1-8 (for UCS 5.0-x) and 6.0.3 (UCS 5.2-x)

Details

This security update fixed an error in the dovecot authentication PAM module of the OX App Suite Application for UCS. OX Users were able to authenticate against any functional account in OX, as long as they were able to access the entryUUID of the functional account. Even if they were not a member of that functional account.
This enabled users to read, write and delete e-mails they should not have access to.