Is Oracle affected by EUVD-2026-16565?

OX Dovecot Pro installations with exposed doveadm HTTP management interfaces face credential enumeration attacks that bypass authentication controls, granting attackers full administrative access to mail infrastructure without legitimate credentials.

EUVD-2026-16565

| CVE-2026-27856 HIGH

2026-03-27 OX

7.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 13:49 nvd

Patch available

EUVD ID Assigned

Mar 27, 2026 - 08:30 euvd

EUVD-2026-16565

Analysis Generated

Mar 27, 2026 - 08:30 vuln.today

CVE Published

Mar 27, 2026 - 08:10 nvd

HIGH 7.4

Description

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

Analysis

OX Dovecot Pro's doveadm HTTP service is vulnerable to timing oracle attacks during credential verification, allowing remote unauthenticated attackers to enumerate valid credentials through timing analysis and gain full administrative access to the doveadm management interface. The vulnerability affects OX Dovecot Pro installations with exposed doveadm HTTP service ports, carries a CVSS score of 7.4, and has no public exploit identified at time of analysis.

Remediation

Within 24 hours: Immediately audit network exposure of doveadm HTTP service ports (default 8080) across all Dovecot Pro installations using port scanning and firewall logs; disable external access via network segmentation or firewall rules if business operations permit. Within 7 days: Implement reverse proxy authentication (e.g., nginx with HTTP Basic Auth or OAuth gateway) in front of doveadm; rotate all doveadm administrative credentials and review access logs for suspicious timing-based requests. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +37

POC: 0

Vendor Status

Ubuntu

Priority: Medium

dovecot

Release	Status	Version
trusty	not-affected	code not present
xenial	not-affected	code not present
bionic	not-affected	code not present
focal	needed	-
jammy	needed	-
noble	needed	-
questing	needed	-
upstream	released	2.4.3

Debian

dovecot

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1:2.3.13+dfsg1-2+deb11u1	-
bullseye (security)	vulnerable	1:2.3.13+dfsg1-2+deb11u2	-
bookworm, bookworm (security)	vulnerable	1:2.3.19.1+dfsg1-2.1+deb12u1	-
trixie	vulnerable	1:2.4.1+dfsg1-6+deb13u3	-
trixie (security)	vulnerable	1:2.4.1+dfsg1-6+deb13u1	-
forky, sid	vulnerable	1:2.4.2+dfsg1-4	-
(unstable)	fixed	(unfixed)	-

EUVD-2026-16565 vulnerability details – vuln.today

Back

EUVD-2026-16565

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2026-16565

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code