CVE-2026-27855 identifies a vulnerability in the OTP authentication mechanism of Open-Xchange GmbH's OX Dovecot Pro mail server software. The flaw arises when the authentication cache is enabled and the username is modified in the passdb configuration. Under these conditions, the system caches OTP credentials improperly, allowing the same one-time password to be reused for authentication. This creates a replay attack vector where an attacker capable of intercepting an OTP exchange can reuse the captured OTP to authenticate as the legitimate user. The vulnerability requires the attacker to observe the OTP exchange, which typically involves network-level access or man-in-the-middle capabilities. Exploitation is complicated by the need for user interaction and the presence of high attack complexity. The vulnerability is exacerbated when authentication occurs over unsecure connections, such as plaintext or weakly encrypted channels. The vendor recommends switching to more secure authentication protocols like SCRAM or OAUTH2 and ensuring all communications are encrypted, for example, by using TLS. No public exploits have been reported, and no patches are explicitly linked, indicating that mitigation relies on configuration changes and protocol upgrades. The CVSS v3.1 base score is 6.8, reflecting a medium severity rating with high confidentiality and integrity impacts but no availability impact. The vulnerability affects all versions of OX Dovecot Pro as indicated, with the published date in March 2026.

The primary impact of this vulnerability is unauthorized access to user accounts via replay of OTP credentials, compromising confidentiality and integrity of email communications and potentially other services relying on OX Dovecot Pro authentication. Attackers who successfully exploit this flaw can impersonate legitimate users, access sensitive emails, and potentially escalate privileges or conduct further attacks within the compromised environment. The vulnerability does not affect availability directly but can lead to significant data breaches and loss of trust. Organizations using OX Dovecot Pro in environments with unencrypted authentication channels are at higher risk, especially if authentication caching is enabled and usernames are altered in passdb. The medium CVSS score reflects the need for attacker access to network traffic and user interaction, limiting the ease of exploitation but not eliminating risk. Given the widespread use of OX Dovecot Pro in enterprise email systems, the vulnerability could affect a broad range of organizations, including government, finance, healthcare, and technology sectors, where email confidentiality is critical.

To mitigate CVE-2026-27855, organizations should first disable authentication caching in OX Dovecot Pro if it is enabled, especially when username modifications in passdb are necessary. Ensure that all authentication traffic is transmitted over secure, encrypted channels such as TLS to prevent interception of OTP exchanges. Where possible, migrate authentication mechanisms from OTP to more secure protocols like SCRAM or OAUTH2, which provide stronger resistance to replay attacks. Regularly audit and monitor authentication logs for unusual login patterns that may indicate replay attacks or unauthorized access attempts. Network segmentation and use of VPNs can reduce the risk of attackers intercepting OTP exchanges. Additionally, keep abreast of vendor updates and patches related to this vulnerability and apply them promptly once available. Educate users about the risks of authentication over unsecure networks and encourage the use of multi-factor authentication methods that do not rely solely on OTPs vulnerable to replay. Implement intrusion detection systems capable of identifying replay attack patterns on authentication traffic.