CVE-2026-27855
Received Received - Intake
Replay Attack Vulnerability in Dovecot OTP Authentication Cache

Publication date: 2026-03-27

Last updated on: 2026-04-29

Assigner: Open-Xchange

Description
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27855
EUVD
EUVD-2026-16563
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dovecot dovecot to 2.4.3 (exc)
open-xchange dovecot to 2.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Dovecot OTP (One-Time Password) authentication. When the authentication cache is enabled and the username is changed in the password database (passdb), OTP credentials can be cached improperly. This allows the same OTP response to be reused, enabling an attacker who observes an OTP exchange to log in as the user by replaying the OTP.

The issue arises because the OTP credentials are cached and not properly invalidated when the username is altered, leading to a replay attack scenario.

Impact Analysis

An attacker who can observe an OTP exchange can reuse the captured OTP to authenticate as the legitimate user, potentially gaining unauthorized access to the user's account.

This can lead to compromised user accounts, unauthorized access to sensitive information, and potential further exploitation within the affected system.

Mitigation Strategies

To mitigate this vulnerability, ensure that authentication does not happen over unsecured connections.

Switch to the SCRAM protocol for authentication if possible.

Alternatively, secure communications by using OAUTH2 or SCRAM protocols.

Also, consider disabling the auth cache or avoid altering usernames in passdb to prevent OTP credentials from being cached.

Compliance Impact

This vulnerability allows an attacker to replay OTP authentication credentials under certain conditions, potentially leading to unauthorized access to user accounts.

Such unauthorized access could result in exposure or compromise of sensitive personal or health information, which may violate compliance requirements under regulations like GDPR or HIPAA.

Therefore, organizations using affected Dovecot OTP authentication should consider this vulnerability as a risk to data confidentiality and integrity, impacting compliance with these standards.

Mitigations include securing communications, switching to more secure authentication protocols like SCRAM or OAUTH2, and ensuring proper configuration to prevent OTP replay attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart