CVE-2026-27856: Dovecot doveadm Timing Oracle Attack
A timing side-channel vulnerability tracked as CVE-2026-27856 has been disclosed in Dovecot's doveadm HTTP service. The flaw arises from a direct string comparison used to verify doveadm credentials, which is susceptible to a timing oracle attack. By measuring response latency differences, a remote attacker can methodically determine the configured credentials — ultimately achieving full access to the doveadm HTTP API.
The vulnerability was published on March 27, 2026, and assigned a CVSS v3.1 score of 7.4 (High). Dovecot recommends restricting access to the doveadm HTTP service port as an immediate mitigation until a patch is available.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-27856 |
| CVSS Score | 7.4 (High) |
| CWE Classification | CWE-208 — Observable Timing Discrepancy |
| Affected Component | doveadm HTTP service credential verification |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Primary Impact | Credential recovery → full doveadm API access |
| Published | March 27, 2026 |
Affected Software
The vulnerability affects the doveadm HTTP service component of Dovecot. Dovecot is the world's most widely deployed IMAP and POP3 server, commonly found in enterprise mail infrastructure, hosting providers, and ISP environments. The doveadm HTTP API provides administrative control over mailboxes, users, and server operations — making credential exposure a high-severity incident.
Deployments that expose the doveadm HTTP service over a network interface are most at risk. Installations where the doveadm port is bound only to localhost or protected behind a firewall have a significantly reduced attack surface.
Technical Details
Root Cause: Non-Constant-Time Comparison
The doveadm HTTP service authenticates incoming requests by comparing a provided credential string against the configured secret. The comparison is implemented as a direct equality check rather than a constant-time comparison function.
In a direct (non-constant-time) string comparison, the operation returns as soon as a byte mismatch is detected. This means:
- A guess that matches the first N bytes of the correct credential takes longer to reject than one that fails immediately at byte 0
- By systematically varying credential bytes and measuring response times, an attacker can determine correct bytes one at a time
This class of vulnerability is known as a timing oracle or timing side-channel attack (CWE-208: Observable Timing Discrepancy).
Attack Methodology
1. Attacker sends credential guess "A..." to doveadm HTTP endpoint
2. Measures response latency: T_wrong_first_byte (fast rejection)
3. Tries "B...", "C...", ... until one guess produces T_correct_first_byte (slower)
4. Correct first byte identified — repeat for each subsequent byte
5. Full credential string recovered byte-by-byte
6. Attacker authenticates with recovered credential
7. Full access to doveadm HTTP API achieved
The number of requests required scales linearly with credential length and character set size, making this a practical attack given sufficient network access and stable latency conditions. In low-jitter network environments such as local networks or co-located servers, the timing differences are more reliably measurable.
Impact of Full doveadm Access
The doveadm HTTP API provides administrative control over the Dovecot server, including:
- Mailbox management: List, read, export, delete, and move mailboxes across all users
- User operations: Create and remove user accounts, modify quotas
- Search and export: Execute mail searches across the entire server
- Purge and cleanup: Delete messages and expunge mailboxes
An attacker with recovered credentials can read any user's email, exfiltrate mail data in bulk, or modify mailbox state — representing a complete confidentiality and integrity compromise of the mail store.
Impact Assessment
| Area | Description |
|---|---|
| Confidentiality | Full mail content of all users readable via doveadm API |
| Integrity | Attacker can delete, move, or modify messages in any mailbox |
| Network Exposure | Attack requires network access to the doveadm HTTP port |
| Timing Stability | Low-jitter, co-located, or LAN environments are most vulnerable |
| ISP / Hosting Risk | Multi-tenant mail servers expose all tenants' mail if doveadm is reachable |
Remediation
Immediate Mitigation: Restrict Network Access
Dovecot explicitly recommends limiting access to the doveadm HTTP service port as the primary mitigation until a patch is available:
# Identify the doveadm HTTP listener port (default: 8080 or custom)
doveconf | grep doveadm_port
# Block external access via firewall (ufw example)
ufw deny <doveadm_port>/tcp
# Allow only trusted management hosts
ufw allow from <trusted_management_ip> to any port <doveadm_port> proto tcpFor environments using firewalld:
# Remove doveadm port from public zone
firewall-cmd --zone=public --remove-port=<doveadm_port>/tcp --permanent
firewall-cmd --reload
# Optionally restrict to a management zone
firewall-cmd --zone=management --add-port=<doveadm_port>/tcp --permanentPatch
Monitor the official Dovecot security page for a patch release. Once available, apply promptly.
Additional Hardening
- Rotate the doveadm secret after patching — credentials may have been compromised
- Review doveadm access logs for unusual credential-probing patterns (many rapid authentication failures from a single source)
- Prefer Unix socket for local doveadm access where remote administration is not required — socket-based connections eliminate the network timing attack surface entirely
- Use network segmentation to isolate the doveadm port behind a management-only interface or VPN
Detection
Timing oracle attacks are difficult to detect from application logs alone since each individual request appears as a failed authentication. High-volume authentication failures from a single source are an indicator of credential probing. Look for:
- Repeated failed authentication attempts against the doveadm HTTP endpoint from a single IP
- Unusual request volume on the doveadm port compared to baseline
- Scripted timing patterns — requests sent at regular intervals characteristic of automated probing
Key Takeaways
- CVE-2026-27856 is a timing oracle in Dovecot's doveadm HTTP service credential verification — attackers can recover credentials by measuring response time differences
- A CVSS 7.4 High severity rating reflects the network-accessible attack vector and potential for full administrative access
- Full doveadm access grants read/write/delete capability over all mail on the server, making this a high-impact breach if exploited
- The recommended immediate mitigation is firewall restriction of the doveadm HTTP port to trusted management hosts only
- Environments where doveadm is exposed to untrusted networks — including internet-facing deployments — should treat this as urgent