7.4

CVE-2026-27856

EPSS 0.03%
Veröffentlicht 27.03.2026 08:10:19
Zuletzt bearbeitet 29.04.2026 19:25:51
Quelle security@open-xchange.com
CVE-Watchlists
Login
Unerledigt
Login

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 4 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dovecot ≫ Dovecot Version < 2.4.3

Open-xchange ≫ Dovecot SwEditionpro Version < 2.3.22.1

Open-xchange ≫ Dovecot SwEditionpro Version >= 3.0.0 < 3.0.5

Open-xchange ≫ Dovecot SwEditionpro Version >= 3.1.0 < 3.1.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.074

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security@open-xchange.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27856

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27856

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27856

EUVD