CVE-2026-27856 — Improper Authentication in Dovecot

CWE-287 — Improper Authentication CWE-208 — Observable Timing Discrepancy18 documents7 sources

Severity

7.4HIGHNVD

OSV5.3

EPSS

0.0%

top 88.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Open-xchange Gmbh OX Dovecot PRO

Timeline

PublishedMar 27

Latest updateMar 31

Description

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u2 (bookworm)

▶Debiandovecot/dovecot< 1:2.3.19.1+dfsg1-2.1+deb12u2+1

▶Ubuntudovecot/dovecot< 1:2.3.16+dfsg1-3ubuntu2.7+2

▶CVEListV5open-xchange_gmbh/ox_dovecot_pro2.3.0

🔴Vulnerability Details

OSV

dovecot vulnerabilities↗2026-03-31

▶

GHSA

GHSA-mv3x-9fw3-qf38: Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack↗2026-03-27

▶

OSV

CVE-2026-27856: Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack↗2026-03-27

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2026-03-31

▶

Red Hat

dovecot: Doveadm: Full access via timing oracle attack in credential verification↗2026-03-27

▶

Debian

CVE-2026-27856: dovecot - Doveadm credentials are verified using direct comparison which is susceptible to...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27858 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-0394 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-27856 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-27855 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-59032 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶