Skip to main content

Cyrus IMAP CVE-2026-47084

| EUVDEUVD-2026-45007 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-16 mitre GHSA-324f-35v9-jxhh
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
8.1 HIGH

Mailbox deletion permanently destroys data and removes user access, warranting A:H alongside I:H; all other metrics align with the provided vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:01 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.

AnalysisAI

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-only LOCALDELETE command, bypassing ACL enforcement entirely. Any user with a valid account on an affected server can permanently delete arbitrary mailboxes - including those they have no read, write, or administrative permissions over - simply by issuing the improperly guarded command. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege IMAP credentials
Delivery
Authenticate to Cyrus IMAP server
Exploit
Issue LOCALDELETE command on target mailbox
Execution
ACL check bypassed due to CWE-863 flaw
Impact
Target mailbox permanently deleted

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated IMAP session on the Cyrus IMAP server - the attacker must hold any low-privilege user account (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium), reflecting network-accessible exploitation by any low-privileged authenticated user with no complexity or interaction barriers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid low-privilege IMAP account - for example, a disgruntled employee, a compromised user credential, or an account obtained via phishing - connects to the Cyrus IMAP server over the network and issues a LOCALDELETE command targeting a mailbox belonging to another user or a shared folder. Because ACL validation is not performed for this command, the server processes the deletion without authorization, permanently removing the targeted mailbox and all its contents. …
Remediation Upgrade to Cyrus IMAP 3.12.3, which addresses the ACL enforcement gap for the LOCALDELETE command per the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

CVE-2026-47084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy