high advisory March 27, 2026

Doveadm Credentials Vulnerable to Timing Oracle Attack (CVE-2026-27856)

Doveadm credentials are verified using direct comparison, making it susceptible to timing oracle attacks, allowing attackers to determine credentials and gain full access.

CVE-2026-27856 describes a vulnerability in Doveadm, a component often used in conjunction with mail servers such as Dovecot. The vulnerability stems from the direct comparison method used to verify credentials, making it susceptible to timing oracle attacks. This vulnerability was published on March 27, 2026. An attacker leveraging this flaw can potentially determine the configured credentials by observing the time it takes for the system to respond to different credential attempts. While no…

Detection coverage 2

Detect Suspicious Doveadm Authentication Attempts

medium

Detects suspicious authentication attempts to the Doveadm HTTP service, potentially indicating a timing oracle attack.

sigma tactics: credential_access techniques: T1110 sources: webserver, linux

Detect Doveadm HTTP Service Access from Unusual IPs

low

Detects access to the Doveadm HTTP service from IP addresses not commonly seen accessing the service.

sigma tactics: initial_access sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →