CVE-2026-47081 in Cyrus IMAPinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in cyrus-imapd version 3.12.2 represents a significant information disclosure and privilege escalation concern within the IMAP protocol implementation. This flaw enables authenticated users to perform mailbox existence probing through the XAPPLEPUSHSERVICE command, which was designed for Apple Push Notification Service integration. The vulnerability stems from insufficient access controls and validation mechanisms that allow malicious actors to enumerate mailboxes across different user accounts without proper authorization.

The technical exploitation of this vulnerability occurs through the manipulation of the XAPPLEPUSHSERVICE command which typically handles Apple Push Notification Service notifications for mailbox changes. When an authenticated user issues this command with specific mailbox parameters, the system reveals whether the targeted mailbox exists on the server, creating a timing-based oracle that can be leveraged to discover valid mailbox names. This functionality was originally intended to support legitimate Apple push notification workflows but was not properly restricted to prevent unauthorized enumeration.

The operational impact of this vulnerability extends beyond simple information disclosure as it enables a form of push notification hijacking that can be used for reconnaissance and subsequent attacks. By discovering the existence of specific mailboxes, an attacker could potentially map out user account structures and identify high-value targets within an organization. The system's response to mailbox modifications through modseq changes creates a subtle but effective method for monitoring mailbox activity without direct access to message content, which aligns with attack patterns described in the mitre ATT&CK framework under reconnaissance and credential access phases.

This vulnerability falls under CWE-200 (Information Exposure) and CWE-352 (Cross-Site Request Forgery) categories, representing a clear violation of information confidentiality principles. The flaw enables unauthorized users to bypass normal access controls through legitimate protocol mechanisms, creating an attack vector that could be combined with other techniques to build more comprehensive reconnaissance capabilities. Organizations utilizing cyrus-imapd may experience indirect data leakage through the exposure of user account structures and mailbox naming conventions, which could aid in targeted social engineering or brute force attacks against user credentials.

The recommended mitigations include implementing proper access controls for the XAPPLEPUSHSERVICE command, ensuring that users can only create push notifications for mailboxes they legitimately own or have explicit access to. System administrators should also consider disabling Apple Push Notification Service integration when it is not required for business operations, and implement additional monitoring of mailbox existence queries to detect anomalous usage patterns. Patching to newer versions of cyrus-imapd that address this specific vulnerability represents the most effective immediate solution. The vulnerability demonstrates the importance of validating all user inputs and ensuring proper authorization checks are in place even for protocol extensions designed for legitimate use cases, as highlighted in industry best practices for secure IMAP implementation and network security monitoring.

Responsible

MITRE

Reservation

05/18/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!