What is CVE-2026-27856?

CVE-2026-27856 is a high-severity vulnerability in Dovecot, classified under Improper Authentication. CVSS score: 7.4/10. Published 2026-03-27.

How severe is CVE-2026-27856?

High severity. CVSS v3 base score is 7.4 out of 10.

Auth bypass in Dovecot

CVE-2026-27856

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected…

Vulnerability class: Broken Authentication

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Dovecot
Open-xchange Dovecot
Open-xchange Gmbh Ox Dovecot Pro — versions 0

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

security@open-xchange.com (vendor-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2026-27856?: CVE-2026-27856 is a high-severity vulnerability in Dovecot, classified under Improper Authentication. CVSS score: 7.4/10. Published 2026-03-27.
How severe is CVE-2026-27856?: High severity. CVSS v3 base score is 7.4 out of 10.