CVE-2026-27855 — Authentication Bypass by Capture-replay in Dovecot

CWE-294 — Authentication Bypass by Capture-replay8 documents7 sources

Severity

6.8MEDIUMNVD

OSV5.3

EPSS

0.0%

top 87.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedMar 27

Latest updateMar 31

Description

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are kno…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm)

▶Debiandovecot/dovecot< 1:2.3.19.1+dfsg1-2.1+deb12u2+1

▶Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro2.3.0

🔴Vulnerability Details

OSV

dovecot vulnerabilities↗2026-03-31

▶

GHSA

GHSA-7923-h3mf-4442: Dovecot OTP authentication is vulnerable to replay attack under specific conditions↗2026-03-27

▶

OSV

CVE-2026-27855: Dovecot OTP authentication is vulnerable to replay attack under specific conditions↗2026-03-27

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2026-03-31

▶

Red Hat

dovecot: Dovecot: Replay attack allows unauthorized login via observed One-Time Password (OTP) exchange↗2026-03-27

▶

Debian

CVE-2026-27855: dovecot - Dovecot OTP authentication is vulnerable to replay attack under specific conditi...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27855 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶