Skip to main content

Microsoft EUVDEUVD-2026-16563

| CVE-2026-27855 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
2026-03-27 OX GHSA-7923-h3mf-4442
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
6.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 13:49 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 08:30 euvd
EUVD-2026-16563
Analysis Generated
Mar 27, 2026 - 08:30 vuln.today
CVE Published
Mar 27, 2026 - 08:10 nvd
MEDIUM 6.8

DescriptionCVE.org

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

AnalysisAI

Dovecot OTP authentication enables replay attacks when authentication cache is enabled and username alteration occurs in passdb, allowing attackers who observe an OTP exchange to authenticate as the targeted user. Open-XChange Dovecot Pro is affected (CPE: cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis, though the vulnerability requires relatively specific preconditions (enabled cache, username modification in passdb) to be exploitable. The CVSS 6.8 score reflects high confidentiality and integrity impact but requires high attack complexity and user interaction.

Technical ContextAI

The vulnerability exploits insecure caching mechanisms in Dovecot's OTP (One-Time Password) authentication flow, classified under CWE-294 (Authentication Using a Shared Secret with Weak Randomness or Weak Hashing). When auth cache is enabled and a username is modified within the passdb backend, the OTP validation logic caches credentials incorrectly, permitting replay of previously-observed OTP values. OTP protocols rely on time-bound or sequence-bound credentials that should never be reusable; cached OTP values violate this fundamental security principle. The root cause involves improper cache key construction that does not account for username mutations, allowing an attacker observing a legitimate OTP exchange on an unsecured channel to bypass authentication by resubmitting the same OTP credential. Affected product is Open-XChange Dovecot Pro, identified via CPE cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*.

RemediationAI

Primary remediation is to upgrade to a patched version of Open-XChange Dovecot Pro released after this advisory; consult https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json for exact patched versions. Immediate workarounds include: (1) disable authentication caching if operationally feasible via auth_cache_size = 0 in dovecot.conf; (2) migrate OTP authentication to SCRAM protocol, which incorporates challenge-response mechanisms resistant to replay; (3) enforce encrypted authentication channels (TLS/SSL) for all OTP exchanges to prevent passive observation by attackers; (4) if possible, transition to OAuth2 for authentication to eliminate dependency on shared secrets. Organizations unable to patch immediately should prioritize securing the authentication channel end-to-end and disabling auth cache where username mutations occur in passdb.

Vendor StatusVendor

Ubuntu

Priority: Medium
dovecot
Release Status Version
trusty needed -
xenial needed -
bionic needed -
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released 2.4.3

Debian

dovecot
Release Status Fixed Version Urgency
bullseye vulnerable 1:2.3.13+dfsg1-2+deb11u1 -
bullseye (security) vulnerable 1:2.3.13+dfsg1-2+deb11u2 -
bookworm, bookworm (security) vulnerable 1:2.3.19.1+dfsg1-2.1+deb12u1 -
trixie vulnerable 1:2.4.1+dfsg1-6+deb13u3 -
trixie (security) vulnerable 1:2.4.1+dfsg1-6+deb13u1 -
forky, sid vulnerable 1:2.4.2+dfsg1-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-16563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy