CVE-2026-47083 in Cyrus IMAPinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an ESEARCH cross-user content oracle. By using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching the search, creating a content oracle (without allowing arbitrary reads of the target's content).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability exists within the Cyrus IMAP server implementation version 3.12.2 and earlier, representing a significant information disclosure flaw that undermines the confidentiality and integrity of email communications. The issue stems from an improperly secured ESEARCH command functionality that allows authenticated users to perform cross-user folder enumeration without authorization. When an attacker executes an ESEARCH query against a target account, they can observe the unique identifiers of messages within that user's mailbox, effectively creating a content oracle that reveals folder structure and message existence patterns without enabling direct access to message contents.

The technical flaw manifests through improper access control mechanisms within the ESEARCH command implementation where the server fails to adequately validate or restrict cross-user queries. This vulnerability specifically affects authenticated IMAP users who can leverage their credentials to issue search commands targeting arbitrary user accounts. The system's failure to implement proper authorization checks means that while users cannot directly read message content, they can determine which folders exist and potentially infer information about message volumes and types within those folders. This creates a reconnaissance capability that significantly weakens the overall security posture of the email infrastructure.

The operational impact of this vulnerability extends beyond simple information gathering as it enables attackers to perform targeted enumeration attacks against user accounts within the system. An attacker could systematically query multiple accounts to build comprehensive directory maps of users and their folder structures, potentially identifying sensitive accounts or those containing specific types of messages. This information can then be used in conjunction with other attack vectors such as credential brute-forcing or phishing campaigns, making this a critical vulnerability for organizations relying on Cyrus IMAP for email services.

Organizations should implement immediate mitigations including upgrading to Cyrus IMAP version 3.12.3 or later where this vulnerability has been addressed through enhanced access control checks within the ESEARCH command implementation. Additionally, administrators should review and harden IMAP server configurations to limit unnecessary search capabilities and ensure proper user authorization enforcement. The vulnerability aligns with CWE-284 Access Control Issues, specifically related to improper access control in multi-user environments, and could be leveraged as part of broader attack patterns documented under the ATT&CK framework's reconnaissance phase, particularly T1590 - Gather Victim Identity Information and T1592 - Gather Victim Network Information. Proper monitoring should be implemented to detect unusual search patterns or bulk enumeration attempts against multiple user accounts that may indicate exploitation of this vulnerability.

Responsible

MITRE

Reservation

05/18/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!