Skip to main content

Cyrus IMAP EUVDEUVD-2026-45006

| CVE-2026-47083 MEDIUM
Observable Response Discrepancy (CWE-204)
2026-07-16 mitre GHSA-7m4j-qx5p-343w
4.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible IMAP command requiring valid credentials (PR:L); only low confidentiality impact as folder names and UIDs are exposed but message content is not readable.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:01 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an ESEARCH cross-user content oracle. By using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching the search, creating a content oracle (without allowing arbitrary reads of the target's content).

AnalysisAI

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder names and retrieve message UIDs belonging to arbitrary other accounts via the ESEARCH command, creating a content oracle. The flaw (CWE-204, Observable Response Discrepancy) leaks mailbox structure - including folder names that may reveal sensitive organizational or personal context - without permitting reads of actual message content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated IMAP account on target server
Delivery
Issue ESEARCH command targeting victim's namespace
Exploit
Observe returned UID counts and message identifiers
Execution
Vary search terms to enumerate folder names
Persist
Map victim's mailbox structure
Impact
Infer sensitive organizational or personal information from folder naming

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid, authenticated IMAP account on the affected server (CVSS PR:L confirms this requirement). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and score of 4.3 are well-calibrated: the attack is network-reachable with low complexity but requires a valid authenticated account (PR:L), and impact is strictly limited to low confidentiality - folder names and UIDs are disclosed, but message bodies cannot be read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege authenticated account on a shared Cyrus IMAP server - such as a student on a university mail system or a customer on an ISP - issues ESEARCH commands targeting named victim accounts (e.g., user.targetname) with varied search criteria. The server returns UID lists for matching messages, confirming the existence of specific folders and the presence of messages meeting the search conditions, allowing the attacker to infer sensitive organizational structure (e.g., confirming a folder named 'legal-hold' or 'acquisition-talks' exists) without ever reading message content. …
Remediation Upgrade to Cyrus IMAP 3.12.3 or later as indicated by the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html; the general release index at https://www.cyrusimap.org/imap/download/release-notes/index.html should be consulted for fixes applicable to other supported branches. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47085 MEDIUM
4.0 Jul 16

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

EUVD-2026-45006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy