CVE-2026-47086 in Cyrus IMAPinfo

Summary

by MITRE • 07/16/2026

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token (via the GENURLAUTH command) for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes despite having no granted permissions.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability in cyrus-imapd represents a critical access control flaw that undermines the fundamental security model of the IMAP server. The issue stems from improper validation of mailbox access permissions during the generation of URLAUTH tokens, allowing authenticated users to create tokens for mailboxes they should not be able to access. This weakness exists in versions through 3.12.2 and directly violates the principle of least privilege that governs secure access control systems.

The technical flaw manifests in the GENURLAUTH command implementation where the server fails to verify whether the requesting user has adequate permissions to access the target mailbox before generating a URLAUTH token. This allows malicious users to exploit the system by generating tokens for mailboxes they cannot normally read, effectively bypassing the Access Control List mechanisms that should protect mailbox contents. The vulnerability operates at the application layer and can be exploited through standard IMAP protocol commands without requiring elevated privileges.

The operational impact of this vulnerability is significant as it enables unauthorized information disclosure across multiple mailboxes within the IMAP server environment. An authenticated user could potentially access sensitive email communications belonging to other users, including those with different permission levels or roles. This creates a substantial risk for organizations relying on cyrus-imapd for email services, particularly in environments where mailbox isolation is critical for privacy and compliance requirements.

From a cybersecurity perspective, this vulnerability aligns with CWE-284 Access Control Issues and represents a privilege escalation vector that could be leveraged by attackers to gain unauthorized access to sensitive information. The flaw also maps to ATT&CK technique T1078 Valid Accounts, as it allows users to effectively impersonate access to resources they should not legitimately possess. Organizations using this software should immediately apply patches or implement workarounds to prevent token generation for restricted mailboxes.

Mitigation strategies include applying the latest security patches from the cyrus-imapd maintainers, implementing additional access controls at the network level, and monitoring for unauthorized GENURLAUTH command usage. Administrators should also consider disabling URLAUTH functionality if not required, as this eliminates the attack surface entirely. Regular security audits of access control mechanisms and user permission assignments should be conducted to prevent similar issues from emerging in other components of the email infrastructure.

This vulnerability demonstrates the importance of proper input validation and access control enforcement even within authenticated sessions, highlighting how seemingly minor implementation flaws can lead to significant security breaches. Organizations should conduct comprehensive assessments of their IMAP server configurations and ensure that all authentication and authorization mechanisms are properly validated before granting access to sensitive resources.

Responsible

MITRE

Reservation

05/18/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very high

Sources

Want to know what is going to be exploited?

We predict KEV entries!