Skip to main content

Cyrus IMAP EUVDEUVD-2026-45005

| CVE-2026-47082 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-16 mitre GHSA-pwfr-vrq6-chw9
5.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L because a valid authenticated account and ManageSieve write access are required; C:N because the flaw enables write-only mailbox injection, not read access; I:L and A:L reflect unauthorized message delivery and potential mailbox flooding.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:01 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.

AnalysisAI

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via the vacation Sieve script :fcc (file carbon copy) feature, enabling unauthorized message injection into any mailbox nameable by the script regardless of insert permissions. The CVSS vector (PR:L, AV:N) confirms network-triggerable exploitation requiring only a valid authenticated account, with low integrity and availability impact (C:N/I:L/A:L). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as valid IMAP user
Delivery
Craft Sieve vacation script with malicious :fcc target mailbox
Exploit
Upload script via ManageSieve
Execution
Await or arrange inbound email to trigger vacation auto-reply
Persist
Server fires vacation response, skipping ACL check on fcc destination
Impact
Unauthorized copy delivered to target mailbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated account on the Cyrus IMAP server (PR:L per CVSS vector) and to have ManageSieve access sufficient to create or modify a vacation Sieve script using the `:fcc` parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.4 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) reflects a network-reachable but authentication-gated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Cyrus IMAP user with ManageSieve access uploads a vacation Sieve script specifying a high-value target mailbox - such as a shared administrative inbox or another user's private folder - as the `:fcc` destination. Once in place, every inbound email to the attacker's account triggers a vacation auto-reply, and a copy is silently delivered to the target mailbox in violation of its ACL. …
Remediation Upgrade Cyrus IMAP to version 3.12.3 or later, which contains the ACL enforcement fix per the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

EUVD-2026-45005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy