NextGuard
UNKNOWNCVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP re

Platform

other

Component

ox-dovecot-pro

View on NVD

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

How to fix

Actualice a una versión posterior a la 2.3.0. Como alternativa, asegure las comunicaciones utilizando SCRAM, OAUTH2 o conexiones seguras. Desactive el caché de autenticación si no es posible actualizar.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-27855 — Vulnerability Details | NextGuard | NextGuard