The Alinto team is pleased to announce the immediate availability of SOGo v5.12.7. This is a major release as it fix major vulnerabilities.

IMPORTANT

Two major vulnerabilities have been reported and fixed in this version 5.12.7 or since the nightly of the 26th March 2026: sogo_5.12.6.20260326. Difficult to say from which specific version those vulnerabilities were there so, assume that any version below 5.12.7 are affected.

Those vulnerabilities only affect your system if you are with a specific configuration, detailed below.

Please read carefully and update immediately if you match one of these cases.

Vulnerability 1

• You have at least one user source of kind: PostgreSQL

Vulnerability 2

• You have at least one user source of kind: sql (Mariadb or PosgtgreSQL)
• Your password are stored in plain text in your user source: userPasswordAlgorithm = none, plain or cleartext

If your system is not within one of these cases, meaning you’re using ldap user source or mariadb with encrypted password, you’re safe and this update is not mandatory.

See the closed tickets for this release and the complete change log.