Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
PR:L reflects that the exploiting party must already hold a minted URLAUTH URL; AC:H captures the timing-dependent revocation prerequisite; S:C because the stale URL crosses an authorization scope boundary.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH does not honor revoked authorizer access. A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.
AnalysisAI
Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently revoked, allowing continued unauthorized access to delegated mailbox content. The flaw (CWE-672: Operation on Resource after Expiration or Release) affects the URLAUTH extension defined in RFC 4467, which is designed to let users grant third-party access to mailbox data without sharing credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the URLAUTH IMAP extension must be in active use on the target server, (2) an authorizer must have previously minted a URLAUTH URL and that URL must be in the possession of a third party, and (3) the authorizer's access must subsequently be revoked (via ACL removal, account deletion, or password change) while the URL remains unexpired. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.5 (Low) with vector AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N accurately reflects the limited but real risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user delegates mailbox access by issuing a URLAUTH URL to a colleague or automated system; later, the authorizer's account is disabled or their ACL is removed following a role change or departure. The recipient retains the original URL and continues to successfully fetch mailbox content via that stale URLAUTH token, bypassing the intended access revocation. … |
| Remediation | Upgrade to Cyrus IMAP version 3.12.3, which is confirmed by the vendor's official release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html as containing the fix for this issue. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cyrus Imap
View allCyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S
Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o
Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation
Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th
Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na
Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack
URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents
Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they
Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe
Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45010
GHSA-4pcj-qpx3-mjmx