Skip to main content

Cyrus IMAP CVE-2026-47089

| EUVDEUVD-2026-45012 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 mitre GHSA-fx86-vr4x-grgq
4.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L required as any authenticated user triggers the flaw; C:L reflects ACL metadata disclosure only, with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:03 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. (This action should have been restricted to users with admin access on the target mailbox.)

AnalysisAI

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lacks the required admin-access authorization check. Any valid IMAP account holder can call LISTRIGHTS against arbitrary mailboxes they can name, learning which principals hold which access rights - data that should be restricted to mailbox administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid IMAP account credentials
Delivery
Authenticate to Cyrus IMAP server (port 143/993)
Exploit
Issue LISTRIGHTS against target mailboxes by name
Execution
Receive unauthorized ACL principal-to-rights mappings
Persist
Identify privileged accounts or sensitive mailbox structures
Impact
Use enumerated principal list for targeted credential or privilege attacks

Vulnerability AssessmentAI

Exploitation Requires a valid IMAP credential for any ordinary user account on the target Cyrus IMAP server (PR:L per CVSS vector - unauthenticated access is insufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the constrained impact: network-reachable with low complexity but requiring authentication (PR:L), with only limited confidentiality impact and no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated IMAP user connects to a Cyrus IMAP 3.12.2 server over port 143 or 993, then systematically issues LISTRIGHTS commands against known or guessed mailbox names - including executive, shared-service, or administrative mailboxes. The server returns ACL breakdowns without checking admin rights on those mailboxes, allowing the attacker to map which user accounts or service principals hold elevated access, identifying high-value targets for credential theft or further privilege escalation. …
Remediation Upgrade to Cyrus IMAP 3.12.3, which is indicated as the corrective release per vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

CVE-2026-47089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy