7.4

CVE-2026-27856

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DovecotDovecot Version < 2.4.3
Open-xchangeDovecot SwEditionpro Version < 2.3.22.1
Open-xchangeDovecot SwEditionpro Version >= 3.0.0 < 3.0.5
Open-xchangeDovecot SwEditionpro Version >= 3.1.0 < 3.1.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.39% 0.31
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security@open-xchange.com 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:26564
https://access.redhat.com/security/cve/CVE-2026-27856
https://bugzilla.redhat.com/show_bug.cgi?id=2452171
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27856.json