CVE-2026-47085 in Cyrus IMAPinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, giving them read access to the mailbox. (URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. Perhaps no public clients use URLAUTH.)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in cyrus-imapd version 3.12.2 represents a significant security flaw in the URLAUTH authentication mechanism that could potentially allow unauthorized access to mailbox contents. This issue stems from a missing mboxkey implementation that creates predictable cryptographic conditions for token generation. The flaw specifically affects systems where users have folders on their accounts for which they have never generated an authenticated URL, creating a window of opportunity for attackers to exploit the system's cryptographic weaknesses.

The technical implementation of this vulnerability involves the improper handling of HMAC-SHA1 calculations within the URLAUTH framework. When a user has not previously issued an authentication URL for a specific mailbox folder, the system fails to properly generate or validate the mboxkey required for secure token creation. This missing security component allows attackers to compute valid HMAC-SHA1 values using predictable key material, effectively bypassing normal authentication mechanisms. The cryptographic weakness manifests when the system defaults to insecure key generation patterns rather than implementing proper randomization or derived key mechanisms that would prevent such forgery.

The operational impact of this vulnerability extends beyond simple unauthorized access to potentially compromise sensitive email communications stored in affected mailboxes. While URLAUTH is described as an obscure feature with limited client support, the potential for exploitation remains significant given that even minimal exposure through predictable key generation can provide attackers with read access to targeted mailbox contents. The attack vector requires knowledge of specific folder names on victim accounts, but this information may be readily available through social engineering or reconnaissance activities that do not require prior system compromise.

Security practitioners should consider this vulnerability in the context of CWE-310, which addresses cryptographic issues related to weak key generation and predictable randomness in authentication systems. The flaw also aligns with ATT&CK technique T1566, specifically targeting credential access through social engineering or reconnaissance methods that could lead to exploitation of such cryptographic weaknesses. Organizations maintaining cyrus-imapd installations should prioritize patching to address this vulnerability, particularly in environments where mailbox security is critical and where the potential for insider threats or targeted attacks exists.

The mitigation strategy involves implementing proper mboxkey generation mechanisms that ensure cryptographic randomness and prevent predictable key derivation patterns. System administrators should verify that all URLAUTH implementations properly validate and generate unique cryptographic keys for each mailbox access request. Additionally, organizations should consider disabling URLAUTH functionality entirely if not actively used, as the security implications of such obscure features often outweigh their limited utility in modern email environments. Regular security audits of authentication mechanisms and cryptographic implementations should be conducted to identify similar vulnerabilities that could potentially allow unauthorized access through predictable key generation or insufficient randomness in token creation processes.

Responsible

MITRE

Reservation

05/18/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!