Description
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
Published: 2026-03-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized authentication via OTP replay
Action: Patch Now
AI Analysis

Impact

An OTP authentication mechanism in OX Dovecot Pro allows replay attacks when authentication caching is enabled and the username is modified in the passdb. Cached OTP credentials can be reused, enabling an attacker who intercepts an OTP exchange to authenticate as the victim. The weakness permits unauthorized access to user accounts without knowing the password, effectively bypassing authentication mechanisms.

Affected Systems

Affected systems are Open‑Xchange GmbH OX Dovecot Pro clients. No specific version range is listed; administrators should verify that their installation uses a version that supports OTP caching and passdb modifications. Any deployment employing OTP authentication with caching enabled is potentially impacted.

Risk and Exploitability

With a CVSS score of 6.8 the vulnerability is considered medium‑high severity. EPSS information is unavailable, and the issue is not in the KEV catalogue, but the required conditions are relatively specific. The likely attack vector involves an attacker observing an OTP challenge/response over an insecure connection, then replaying the response after the username has been altered in the back‑end. No exploits have been published yet; however, the logic of the replay attack makes it feasible for an adversary capable of collecting the OTP exchange to hijack a session.

Generated by OpenCVE AI on March 27, 2026 at 09:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable OTP authentication or stop using caching for OTP.
  • Enforce TLS for all authentication traffic to prevent interception.
  • Configure Dovecot to use stronger authentication such as SCRAM or OAUTH2.
  • Upgrade to the latest OX Dovecot Pro release that addresses the issue.
  • Monitor authentication logs for unusual OTP usage patterns.
  • Review passdb configuration to prevent unintended username alterations.

Generated by OpenCVE AI on March 27, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Dovecot OTP Replay Allows Unauthorized Authentication dovecot: Dovecot: Replay attack allows unauthorized login via observed One-Time Password (OTP) exchange
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Dovecot OTP Replay Allows Unauthorized Authentication

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
Weaknesses CWE-294
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Open-xchange Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T19:39:50.286Z

Reserved: 2026-02-24T08:46:09.373Z

Link: CVE-2026-27855

cve-icon Vulnrichment

Updated: 2026-03-27T19:39:42.078Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T09:16:19.610

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-27855

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T08:10:18Z

Links: CVE-2026-27855 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:15Z

Weaknesses