Skip to main content

Cyrus IMAP EUVDEUVD-2026-45008

| CVE-2026-47085 MEDIUM
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-07-16 mitre GHSA-8jrh-wq6h-53c4
4.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
4.0 MEDIUM

Network-exploitable via URLAUTH with no attacker authentication needed; AC:H for the per-folder mboxkey-absence prerequisite outside attacker control; S:C reflects cross-account boundary read access.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 16, 2026 - 20:48 EUVD
Analysis Generated
Jul 16, 2026 - 19:02 vuln.today

DescriptionCVE.org

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, giving them read access to the mailbox. (URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. Perhaps no public clients use URLAUTH.)

AnalysisAI

URLAUTH token forgery in Cyrus IMAP through 3.12.2 allows a network-based unauthenticated attacker to read the contents of a victim's mailbox folder by computing a forged authentication token using a predictable HMAC-SHA1 key. The predictability arises specifically when a victim has never issued a URLAUTH-authenticated URL for a given folder, leaving the per-folder mboxkey absent and thus falling back to a computable value. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify or enumerate victim IMAP folder name
Delivery
Confirm no prior URLAUTH token issued for that folder
Exploit
Compute HMAC-SHA1 with predictable absent mboxkey
Execution
Present forged URLAUTH token to Cyrus IMAP server
Impact
Read victim mailbox folder contents

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions to be satisfied: first, the target must be running Cyrus IMAP version 3.12.2 or earlier with the URLAUTH extension active and reachable; second, the attacker must have obtained knowledge of at least one valid folder name on the victim's IMAP account (e.g., 'INBOX', 'Sent', or a custom folder); and third, the victim user must never have issued a URLAUTH authentication URL for that specific folder - the instant the legitimate user generates any URLAUTH for a folder, a proper random mboxkey is created and stored, eliminating the predictable-key condition for that folder permanently. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.0 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N reflects a balanced picture: the network attack vector and absence of required attacker authentication (PR:N) lower the barrier to exploitation, while high attack complexity (AC:H) acknowledges the prerequisite knowledge requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has enumerated or guessed a valid IMAP folder name on a target account - for example, through IMAP LIST responses if unauthenticated enumeration is permitted, or through knowledge of common folder naming conventions - checks whether that folder has ever had a URLAUTH token issued by the legitimate user. If no mboxkey exists for that folder, the attacker computes an HMAC-SHA1 value using the predictable key material and constructs a forged URLAUTH token, which the Cyrus IMAP server validates as authentic, granting read access to that folder's mail contents. …
Remediation Upgrade Cyrus IMAP to version 3.12.3 or later, as indicated by the vendor release notes at https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12843 MEDIUM
6.5 Aug 22

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) S

CVE-2026-47084 MEDIUM
6.5 Jul 16

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-o

CVE-2024-34055 MEDIUM
6.5 Jun 05

Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation

CVE-2026-47082 MEDIUM
5.4 Jul 16

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via th

CVE-2026-47083 MEDIUM
4.3 Jul 16

Cross-user information disclosure in Cyrus IMAP through 3.12.2 allows any authenticated IMAP user to enumerate folder na

CVE-2026-47089 MEDIUM
4.3 Jul 16

Cyrus IMAP through 3.12.2 exposes mailbox ACL data to any authenticated user via the IMAP LISTRIGHTS command, which lack

CVE-2026-47086 LOW
3.5 Jul 16

Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they

CVE-2026-47087 LOW
3.5 Jul 16

Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently r

CVE-2026-47081 LOW
3.1 Jul 16

Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authe

CVE-2026-47088 LOW
3.1 Jul 16

Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submi

Share

EUVD-2026-45008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy