CVE-2026-27856

| EUVD-2026-16565 HIGH
2026-03-27 OX
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16565
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
HIGH 7.4

Tags

Oracle Authentication Bypass Redhat

Description

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

Analysis

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing remote unauthenticated attackers to enumerate valid credentials through timing analysis and gain full administrative access to the doveadm management interface. The vulnerability affects OX Dovecot Pro installations with exposed doveadm HTTP service ports, carries a CVSS score of 7.4, and has no public exploit identified at time of analysis.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Immediately audit network exposure of doveadm HTTP service ports (default 8080) across all Dovecot Pro installations using port scanning and firewall logs; disable external access via network segmentation or firewall rules if business operations permit. Within 7 days: Implement reverse proxy authentication (e.g., nginx with HTTP Basic Auth or OAuth gateway) in front of doveadm; rotate all doveadm administrative credentials and review access logs for suspicious timing-based requests. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Vendor Status

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic not-affected code not present
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

Share

CVE-2026-27856 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy