CVE-2026-27855

Name	CVE-2026-27855
Description	Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dovecot (PTS)	bullseye	1:2.3.13+dfsg1-2+deb11u1	vulnerable
	bullseye (security)	1:2.3.13+dfsg1-2+deb11u2	vulnerable
	bookworm, bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u1	vulnerable
	trixie	1:2.4.1+dfsg1-6+deb13u3	vulnerable
	trixie (security)	1:2.4.1+dfsg1-6+deb13u1	vulnerable
	forky, sid	1:2.4.2+dfsg1-4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
dovecot	source	(unstable)	(unfixed)

Notes

https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2026-27855-auth-otp-driver-vulnerable-to-replay-attack