Description
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
Published: 2026-03-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized authentication via OTP replay
Action: Patch Now
AI Analysis

Impact

An OTP authentication mechanism in OX Dovecot Pro allows replay attacks when authentication caching is enabled and the username is modified in the passdb. Cached OTP credentials can be reused, enabling an attacker who intercepts an OTP exchange to authenticate as the victim. The weakness permits unauthorized access to user accounts without knowing the password, effectively bypassing authentication mechanisms.

Affected Systems

Affected systems are Open‑Xchange GmbH OX Dovecot Pro clients. No specific version range is listed; administrators should verify that their installation uses a version that supports OTP caching and passdb modifications. Any deployment employing OTP authentication with caching enabled is potentially impacted.

Risk and Exploitability

With a CVSS score of 6.8 the vulnerability is considered medium‑high severity. EPSS information is unavailable, and the issue is not in the KEV catalogue, but the required conditions are relatively specific. The likely attack vector involves an attacker observing an OTP challenge/response over an insecure connection, then replaying the response after the username has been altered in the back‑end. No exploits have been published yet; however, the logic of the replay attack makes it feasible for an adversary capable of collecting the OTP exchange to hijack a session.

Generated by OpenCVE AI on March 27, 2026 at 09:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable OTP authentication or stop using caching for OTP.
  • Enforce TLS for all authentication traffic to prevent interception.
  • Configure Dovecot to use stronger authentication such as SCRAM or OAUTH2.
  • Upgrade to the latest OX Dovecot Pro release that addresses the issue.
  • Monitor authentication logs for unusual OTP usage patterns.
  • Review passdb configuration to prevent unintended username alterations.

Generated by OpenCVE AI on March 27, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Dovecot OTP Replay Allows Unauthorized Authentication

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
Weaknesses CWE-294
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:33:26.733Z

Reserved: 2026-02-24T08:46:09.373Z

Link: CVE-2026-27855

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T09:16:19.610

Modified: 2026-03-27T09:16:19.610

Link: CVE-2026-27855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:44Z

Weaknesses