Classification: TLP:GREEN

Internal reference: DOV-7830
Type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Component: core
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX Dovecot Pro core 2.4.0
First fixed revision: OX Dovecot Pro core 2.4.2
Discovery date: 2025-07-25
Solution date: 2025-10-29
Disclosure date: 2025-10-31
Researcher credits: Erik  <erik@broadlux.com>
CVE: CVE-2025-30189
CVSS: 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Details:
v2.4 regression: auth cache broken with several passdb / userdb. When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users.

Risk:
After cached login, all subsequent logins are for same user. No publicly available exploits are known.

Solution:
Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers.