Dovecot Flaw Lets Users Access Wrong Email Accounts

A newly disclosed security flaw in Dovecot, a widely used open-source IMAP and POP3 email server, may allow unauthorized access to user accounts due to a mismanaged authentication cache. The vulnerability, tracked as CVE-2025-30189, was disclosed on the Full Disclosure mailing list. The Dovecot flaw lets users inadvertently access other users’ accounts when cached authentication details are shared incorrectly between sessions.

The issue stems from Dovecot’s auth cache mechanism, which can return the wrong authentication result under certain conditions. This behavior could lead to serious data privacy violations in environments that rely heavily on the server for secure email access. The Dovecot flaw lets users, under the wrong circumstances, bypass account-level access controls, raising concerns for administrators managing multi-user systems.

Security professionals and system administrators are advised to review the technical details and monitor for fixes or mitigation steps. For the full disclosure, visit the official announcement here:

https://seclists.org/fulldisclosure/2025/Oct/29