ALPINE-CVE-2026-27855

See a problem?
Please try reporting it to the source first.
Source
https://security.alpinelinux.org/vuln/CVE-2026-27855
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-27855.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-27855
Upstream
  • CVE-2026-27855
Published
2026-03-27T09:16:19.610Z
Modified
2026-06-15T18:18:11.050400064Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

References

Affected packages

Alpine:v3.23 / dovecot

Package

Name
dovecot
Purl
pkg:apk/alpine/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.3-r0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-27855.json"

Alpine:v3.24 / dovecot

Package

Name
dovecot
Purl
pkg:apk/alpine/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.3-r0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-27855.json"