DEBIAN-CVE-2026-27855

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-27855

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27855.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-27855

Upstream

CVE-2026-27855

Published

2026-03-27T09:16:19.610Z

Modified

2026-05-01T07:00:28.164087Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

References

https://security-tracker.debian.org/tracker/CVE-2026-27855

Affected packages

Debian:11 / dovecot

Package

Name: dovecot
Purl: pkg:deb/debian/dovecot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.3.13+dfsg1-2+deb11u3

Affected versions

1:2.*

1:2.3.13+dfsg1-2

1:2.3.13+dfsg1-2+deb11u1

1:2.3.13+dfsg1-2+deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27855.json"

Debian:12 / dovecot

Package

Name: dovecot
Purl: pkg:deb/debian/dovecot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.3.19.1+dfsg1-2.1+deb12u2

Affected versions

1:2.*

1:2.3.19.1+dfsg1-2.1

1:2.3.19.1+dfsg1-2.1+deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27855.json"

Debian:13 / dovecot

Package

Name: dovecot
Purl: pkg:deb/debian/dovecot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.1+dfsg1-6+deb13u4

Affected versions

1:2.*

1:2.4.1+dfsg1-6

1:2.4.1+dfsg1-6+deb13u1

1:2.4.1+dfsg1-6+deb13u2

1:2.4.1+dfsg1-6+deb13u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27855.json"

Debian:14 / dovecot

Package

Name: dovecot
Purl: pkg:deb/debian/dovecot?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.3+dfsg1-1

Affected versions

1:2.*

1:2.4.1+dfsg1-6

1:2.4.1+dfsg1-7

1:2.4.1+dfsg1-8

1:2.4.1+dfsg1-9

1:2.4.2+dfsg1-1

1:2.4.2+dfsg1-2

1:2.4.2+dfsg1-3

1:2.4.2+dfsg1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27855.json"