maddy 0.2.0 - 0.6.2 allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified authorization username, it is accepted as is after checking the credentials for the authentication username.
maddy 0.6.3 includes the fix for the bug.
There is no way to fix the issue without upgrading.