CVE-2026-27856

HIGH

OX Dovecot Pro <2.3.0 - Timing Oracle

Title source: llm

Description

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

References (1)

[Vendor Advisory] https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json

Scores

CVSS v3 7.4

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (3)

dovecot/dovecot < 2.4.3

open-xchange/dovecot < 2.3.22.1

Open-Xchange GmbH/OX Dovecot Pro < 2.3.0

Published Mar 27, 2026

Tracked Since Mar 27, 2026