Dovecot doveadm Timing Oracle Attack Exposes Credentials
CVE-2026-27856 Published on March 27, 2026

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-27856 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2026-27856 has been classified to as an authentification vulnerability or weakness.


Products Associated with CVE-2026-27856

Want to know whenever a new CVE is published for Canonical Ubuntu Linux? stack.watch will email you.

Canonical Ubuntu Linux
 

Affected Versions

Open-Xchange GmbH OX Dovecot Pro:

Exploit Probability

EPSS
0.03%
Percentile
8.55%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.