an authentication bypass vulnerability has been discovered in the Horde_Ldap library that's being used by all components of the Horde project that communicate with LDAP servers.
A fixed version has been released and everybody using LDAP in their Horde installations is advised to upgrade to Horde_Ldap 2.0.6 as soon as possible.
So far only certain setups have been confirmed to be exploitable: The system must use LDAP for authentication, an LDAP user must have been specified for binding (as opposed to anonymous binding), that LDAP user must have the same parent DN like the system users, and the attacker must guess the binding user's name. In this case the attacker can login with the guessed name and an empty password. Whether this actually allows for further access to data or to the system, completely depends on the individual setup. It's possible that other mitigation factors exist though, that haven't been discovered yet.

Thanks to Matthew Daley for detecting and reporting this vulnerability.