Skip to main content

Cyrus IMAP CVE-2026-47081

| EUVDEUVD-2026-45004 LOW
Incorrect Authorization (CWE-863)
2026-07-16 mitre
3.1
CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Network IMAP access required (AV:N); authentication mandatory (PR:L); guessing foreign mailbox names adds complexity (AC:H); only existence metadata disclosed, no content (C:L, I:N, A:N).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 18:46 vuln.today
CVE Published
Jul 16, 2026 - 00:00 cve.org
LOW 3.1

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.

AnalysisAI

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authenticated IMAP users enumerate arbitrary mailboxes belonging to other accounts and redirect Apple Push Notification Service alerts about those mailboxes to their own device. The flaw (CWE-863, Incorrect Authorization) does not expose message content - only whether a target mailbox exists and when its modification sequence (modseq) changes - but it enables cross-account probing and unauthorized push subscription in multi-tenant IMAP deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Cyrus IMAP server with valid credentials
Delivery
Issue XAPPLEPUSHSERVICE commands referencing foreign account mailbox paths
Exploit
Observe server responses to confirm mailbox existence (oracle)
Execution
Register own APNS device token for confirmed victim mailbox
Impact
Receive 'mailbox changed' push notifications on victim mail activity

Vulnerability AssessmentAI

Exploitation The XAPPLEPUSHSERVICE extension must be enabled in the Cyrus IMAP server configuration and the server must be reachable over a network IMAP connection - deployments without APNS integration enabled are unaffected by both the push hijack and the push-based confirmation channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 3.1 (Low) with vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N accurately characterises this as a low-priority finding for most environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated IMAP user connects to a shared Cyrus IMAP server and iterates through common mailbox name patterns (e.g., Inbox, Sent, Archives) using the XAPPLEPUSHSERVICE command targeting other users' account namespaces; the server's differential responses confirm which mailboxes exist, revealing organisational folder structure. The attacker then registers their own APNS device token for a confirmed target mailbox, after which every time the victim receives new mail or otherwise changes that folder, the attacker's Apple device receives a 'mailbox has changed' push notification. …
Remediation The primary remediation is to upgrade Cyrus IMAP to version 3.12.3 or later, which addresses this vulnerability according to the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html; consult https://www.cyrusimap.org/imap/download/release-notes/index.html for status of other supported branches. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

CVE-2026-47081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy