Skip to main content

Cyrus IMAP CVE-2026-47088

| EUVDEUVD-2026-45011 LOW
Buffer Over-read (CWE-126)
2026-07-16 mitre
3.1
CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Network-accessible IMAP service requires valid credentials (PR:L); reliable heap data extraction depends on non-deterministic heap layout (AC:H); impact is confidentiality-only partial disclosure with no integrity or availability consequence.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:04 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the message's end in memory, and read into the heap, returning the read content to the user.

AnalysisAI

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submitting a crafted email containing an RFC 822 MIME comment whose final character is a backslash. During message parsing, the server reads past the end of the message buffer into adjacent heap memory and returns the exposed content to the requesting user, resulting in partial, non-deterministic heap disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated IMAP credentials
Delivery
Craft email with RFC 822 comment ending in backslash
Exploit
Submit crafted message to Cyrus IMAP server
Execution
Trigger heap over-read past message buffer boundary
Impact
Receive leaked heap memory bytes in server response

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated IMAP account on the target Cyrus IMAP server (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately characterizes this as a low-severity issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated IMAP user submits a crafted email message containing a nested MIME structure with an RFC 822 comment token whose final character is a backslash, causing the Cyrus IMAP parser to advance its read pointer past the message buffer boundary into adjacent heap memory. The server includes bytes from that adjacent heap region in its response to the user, potentially exposing residual data from prior server operations such as other users' session fragments, cached message data, or internal state. …
Remediation Upgrade to Cyrus IMAP version 3.12.3 or later, which addresses this vulnerability per the release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

Share

CVE-2026-47088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy