The Alinto team is pleased to announce the immediate availability of SOGo v5.12.7. This is a major release as it fix major vulnerabilities.

IMPORTANT

Two major vulnerabilities have been reported and fixed in this version 5.12.7 or since the nightly of the 26th March 2026: sogo_5.12.6.20260326. Difficult to say from which specific version those vulnerabilities were there so, assume that any version below 5.12.7 are affected.

Those vulnerabilities only affect your system if you are with a specific configuration, detailed below.

Please read carefully and update immediately if you match one of these cases.

Vulnerability 1

• You have at least one user source of kind: PostgreSQL

CVE-2026-39178: SOGo before 5.12.7 contains a SQL injection vulnerability in the change password component. This issue affects installations using at least one PostgreSQL user source and can lead to mass user password changes, database compromise, and server-side code execution. This issue is fixed in SOGo 5.12.7.

Vulnerability 2

• You have at least one user source of kind: sql (Mariadb or PosgtgreSQL)
• Your password are stored in plain text in your user source: userPasswordAlgorithm = none, plain or cleartext

CVE-2026-39179: SOGo before 5.12.7 contains a SQL injection vulnerability in the search contact component. This issue affects installations using at least one MariaDB or PostgreSQL-based SQL user source with cleartext password storage and can lead to database compromise and server-side code execution. This issue is fixed in SOGo 5.12.7.

If your system is not within one of these cases, meaning you’re using ldap user source or mariadb with encrypted password, you’re safe and this update is not mandatory.

See the closed tickets for this release and the complete change log.