CVE-2026-27855

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3

Description Dovecot OTP authentication is susceptible to a replay attack under certain conditions. Specifically, if the authentication cache is enabled and a username is modified within the passdb, OTP credentials can be cached, allowing the same OTP reply to be valid for subsequent login attempts. An attacker observing an OTP exchange could potentially log in as the user. The issue occurs when authentication happens over an unsecure connection.

Recommendations Update to version 2.4.3 or later. If updating is not immediately possible, switch to the SCRAM protocol. Ensure communications are secured. If possible, switch to OAUTH2 or SCRAM.