Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Network-exploitable via URLAUTH with no attacker authentication needed; AC:H for the per-folder mboxkey-absence prerequisite outside attacker control; S:C reflects cross-account boundary read access.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, giving them read access to the mailbox. (URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. Perhaps no public clients use URLAUTH.)
AnalysisAI
URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents of a victim's mailbox folder by computing a forged authentication token using a predictable HMAC-SHA1 key. The predictability arises specifically when a victim has never issued a URLAUTH-authenticated URL for a given folder, leaving the per-folder mboxkey absent and thus falling back to a computable value. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions to be satisfied: first, the target must be running Cyrus IMAP version 3.12.2 or earlier with the URLAUTH extension active and reachable; second, the attacker must have obtained knowledge of at least one valid folder name on the victim's IMAP account (e.g., 'INBOX', 'Sent', or a custom folder); and third, the victim user must never have issued a URLAUTH authentication URL for that specific folder - the instant the legitimate user generates any URLAUTH for a folder, a proper random mboxkey is created and stored, eliminating the predictable-key condition for that folder permanently. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.0 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N reflects a balanced picture: the network attack vector and absence of required attacker authentication (PR:N) lower the barrier to exploitation, while high attack complexity (AC:H) acknowledges the prerequisite knowledge requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has enumerated or guessed a valid IMAP folder name on a target account - for example, through IMAP LIST responses if unauthenticated enumeration is permitted, or through knowledge of common folder naming conventions - checks whether that folder has ever had a URLAUTH token issued by the legitimate user. If no mboxkey exists for that folder, the attacker computes an HMAC-SHA1 value using the predictable key material and constructs a forged URLAUTH token, which the Cyrus IMAP server validates as authentic, granting read access to that folder's mail contents. … |
| Remediation | Upgrade Cyrus IMAP to version 3.12.3 or later, as indicated by the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cyrus Imap
View allCyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S
Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o
Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation
Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th
Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na
Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack
Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they
Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r
Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe
Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45008
GHSA-8jrh-wq6h-53c4