Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Network IMAP access required (AV:N); authentication mandatory (PR:L); guessing foreign mailbox names adds complexity (AC:H); only existence metadata disclosed, no content (C:L, I:N, A:N).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.
AnalysisAI
Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authenticated IMAP users enumerate arbitrary mailboxes belonging to other accounts and redirect Apple Push Notification Service alerts about those mailboxes to their own device. The flaw (CWE-863, Incorrect Authorization) does not expose message content - only whether a target mailbox exists and when its modification sequence (modseq) changes - but it enables cross-account probing and unauthorized push subscription in multi-tenant IMAP deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The XAPPLEPUSHSERVICE extension must be enabled in the Cyrus IMAP server configuration and the server must be reachable over a network IMAP connection - deployments without APNS integration enabled are unaffected by both the push hijack and the push-based confirmation channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.1 (Low) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N accurately characterises this as a low-priority finding for most environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated IMAP user connects to a shared Cyrus IMAP server and iterates through common mailbox name patterns (e.g., Inbox, Sent, Archives) using the XAPPLEPUSHSERVICE command targeting other users' account namespaces; the server's differential responses confirm which mailboxes exist, revealing organisational folder structure. The attacker then registers their own APNS device token for a confirmed target mailbox, after which every time the victim receives new mail or otherwise changes that folder, the attacker's Apple device receives a 'mailbox has changed' push notification. … |
| Remediation | The primary remediation is to upgrade Cyrus IMAP to version 3.12.3 or later, which addresses this vulnerability according to the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html; consult https://www.cyrusimap.org/imap/download/release-notes/index.html for status of other supported branches. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cyrus Imap
View allCyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S
Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o
Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation
Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th
Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na
Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack
URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents
Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they
Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r
Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45004