Plattform
other
Komponente
ox-dovecot-pro
Behoben in
2.3.1
CVE-2026-27855 describes an OTP replay attack vulnerability affecting OX Dovecot Pro. Specifically, if the authentication cache is enabled and the username is altered in the passdb, OTP credentials can be cached, allowing an attacker to reuse observed OTP exchanges to log in as the user. This issue affects OX Dovecot Pro versions 0–2.3.0. To mitigate this, switch to the SCRAM protocol or ensure communications are secured, and consider using OAUTH2 or SCRAM.
The primary impact of CVE-2026-27855 is the potential for unauthorized access to user accounts through OTP replay attacks. An attacker who can observe an OTP exchange and manipulate the username in the passdb can cache a valid OTP response and reuse it to impersonate the user. This could lead to data breaches, account takeover, and potentially compromise the entire system if the compromised account has elevated privileges. The blast radius extends to any data and services accessible by the compromised user account.
CVE-2026-27855 was published on 2026-03-27. As of the current date, no publicly available exploits have been disclosed. The EPSS score is pending evaluation. While no active campaigns are known, the potential for account takeover makes this a medium-priority vulnerability to address, especially in environments where OTP authentication is heavily relied upon.
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
To mitigate CVE-2026-27855, the most effective solution is to ensure secure communications between the client and the Dovecot Pro server. This can be achieved by enabling TLS/SSL encryption. Alternatively, consider switching to more secure authentication protocols like SCRAM or OAuth2. Disabling the authentication cache can also reduce the risk of replay attacks, but may impact user experience. If you cannot immediately switch protocols, ensure that all communications are secured with strong encryption. After implementing these mitigations, verify the fix by attempting to replay an OTP token after altering the username in the passdb and confirming that the authentication fails.
Actualice a una versión posterior a la 2.3.0. Como alternativa, asegure las comunicaciones utilizando SCRAM, OAUTH2 o conexiones seguras. Desactive el caché de autenticación si no es posible actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
OTP (One-Time Password) is a single-use security code. The vulnerability lies in the fact that, under certain conditions, OTP responses can be cached and reused, allowing an attacker to log in as the user.
If you are using Dovecot Pro with authentication cache enabled and have modified usernames in the passdb, you are likely affected.
Until an update is released, the best solution is to disable the authentication cache or use the SCRAM protocol over secure connections.
CVSS 6.8 indicates a medium to high severity vulnerability that requires attention and mitigation.
Consult the official Dovecot Pro documentation and industry security sources for updates and additional details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.