CVE-2026-47082 in Cyrus IMAP
Summary
by MITRE • 07/16/2026
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in cyrus-imapd affects the vacation feature's implementation of the Sieve fcc (file copy to mailbox) functionality, creating a privilege escalation vector through improper access control enforcement. This issue exists within the IMAP server software version 3.12.2 and earlier, where the vacation script processing logic fails to validate destination mailbox permissions before executing file copy operations. The flaw specifically impacts the Sieve scripting language implementation that allows users to configure automated responses with message copies stored in designated mailboxes. When a user configures a vacation script using the :fcc mechanism, the system should enforce access control checks against the target mailbox but instead bypasses these security validations entirely.
The technical nature of this vulnerability stems from a missing authorization check in the vacation script execution path. According to CWE-284, this represents an improper access control weakness where the system grants privileges beyond what is authorized for the executing user. The flaw operates at the application level within the IMAP server's mail handling logic, specifically during automated response processing when Sieve scripts are evaluated. This bypass allows malicious or unauthorized users to deliver auto-reply messages into any mailbox they can reference in their vacation script configuration, regardless of whether they possess the necessary insert permissions for those target mailboxes.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential for message manipulation and privacy violations across multiple user accounts. An attacker could leverage this weakness to deliver vacation responses directly into sensitive mailboxes such as those belonging to system administrators, executives, or other users with elevated privileges. This capability enables unauthorized message injection into mailboxes where the attacker normally would not have write access, potentially leading to information leakage, social engineering attacks, or disruption of normal communication patterns. The vulnerability affects all users who configure vacation scripts using the :fcc option, making it a widespread concern across deployments utilizing this functionality.
Mitigation strategies should focus on implementing proper access control validation for all mailbox operations within Sieve script execution contexts. System administrators should immediately upgrade to patched versions of cyrus-imapd where the ACL enforcement has been corrected. The fix requires ensuring that any mailbox referenced in an fcc directive undergoes the same permission checks as other mailbox operations, validating that the script owner possesses the necessary insert permissions for the target mailbox before executing the copy operation. Organizations should also consider implementing monitoring for unusual vacation script configurations and message delivery patterns to detect potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1078.004, which covers valid accounts used for persistence and privilege escalation through legitimate system access points.
The security implications of this flaw represent a significant concern for organizations relying on automated response systems within their email infrastructure. The bypassed access controls create opportunities for unauthorized message injection that could be leveraged in targeted attacks against specific users or departments. Additionally, the vulnerability may enable attackers to circumvent normal email filtering and monitoring mechanisms by delivering messages directly into user mailboxes where they might otherwise be detected or blocked by security policies. Organizations should conduct thorough audits of vacation script configurations across all user accounts to identify potentially compromised setups and implement mandatory access control checks for all Sieve operations involving mailbox manipulation functions.