Skip to main content

Cyrus IMAP CVE-2026-47086

| EUVDEUVD-2026-45009 LOW
Incorrect Authorization (CWE-863)
2026-07-16 mitre GHSA-j6pg-f6px-vgh9
3.5
CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
3.5 LOW
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
5.0 MEDIUM

AC:L because issuing GENURLAUTH with a known mailbox name is straightforward for any authenticated user; AC:H in the official vector likely overstates complexity.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:03 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token (via the GENURLAUTH command) for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes despite having no granted permissions.

AnalysisAI

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they have no ACL permissions on by exploiting the GENURLAUTH command's failure to enforce access controls before issuing URLAUTH tokens. The authorization boundary between mailboxes is effectively eliminated for any user who can name a target mailbox, undermining the server's entire multi-user isolation model. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Cyrus IMAP server
Delivery
Issue GENURLAUTH command naming target mailbox
Exploit
Receive URLAUTH token without ACL validation
Execution
Redeem token via URLFETCH for target mailbox
Impact
Read confidential mail content of victim user

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated IMAP session on a Cyrus IMAP server running version 3.12.2 or earlier (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N scores 3.5 (Low), driven primarily by AC:H and C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user on a shared Cyrus IMAP server - such as a student on a university mail system or an employee on a corporate IMAP platform - issues a GENURLAUTH command specifying a target mailbox belonging to another user (e.g., a colleague's INBOX or an administrative shared folder) whose name they know or can guess. The server, failing to enforce ACL validation, returns a valid URLAUTH token for that mailbox. …
Remediation Upgrade to Cyrus IMAP 3.12.3 or later, which resolves the GENURLAUTH ACL bypass per the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

CVE-2026-47086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy