← Back to CVEs
CVE-2026-27855
MEDIUM6.8
Description
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
CVE Details
CVSS v3.1 Score6.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published3/27/2026
Last Modified3/30/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-294
References
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json(security@open-xchange.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.