Timing Oracle Vulnerability in Dovecot by Open-Xchange
CVE-2026-27856

7.4HIGH

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 27 March 2026

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2026-27856?

The vulnerability in Dovecot arises from the insecure handling of doveadm credentials through direct comparison, making it vulnerable to timing oracle attacks. This allows potential attackers to exploit timing discrepancies to infer valid credentials. Should the credentials be compromised, it could grant unauthorized access to sensitive components of the system. To mitigate this risk, it is recommended to restrict access to the doveadm HTTP service port and to upgrade to the fixed version as soon as possible. Currently, there are no publicly available exploits for this vulnerability.

Affected Version(s)

OX Dovecot Pro 0 <= 2.3.0

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27856 Data

JSON