CVE-2026-47087 in Cyrus IMAP
Summary
by MITRE • 07/16/2026
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH does not honor revoked authorizer access. A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Cyrus IMAPD version 3.12.2 represents a critical authorization bypass flaw that undermines the security model of the email server implementation. This issue specifically affects the URLAUTH mechanism, which is designed to provide secure delegation of access rights through URL-based tokens. The flaw demonstrates a fundamental failure in session management where the system fails to properly validate the continued legitimacy of access tokens after the original authorizer's privileges have been revoked.
The technical nature of this vulnerability stems from improper state validation within the URLAUTH implementation. When an authorizer grants access through a URLAUTH token, the system should maintain an active check against the authorizer's current access rights and immediately invalidate any tokens if those rights are subsequently revoked. However, the flawed implementation allows previously issued tokens to remain functional even after the underlying authorization has been withdrawn, creating a persistent security loophole that can be exploited by malicious actors.
This vulnerability has significant operational impact within email server environments where Cyrus IMAPD is deployed. The continued functionality of revoked tokens means that unauthorized access can persist even after administrative actions have removed legitimate privileges from users or services. Attackers who gain access to valid URLAUTH tokens can maintain persistent access to mailboxes and email resources long after they should have been invalidated, potentially leading to data breaches, unauthorized email access, and privilege escalation within the email infrastructure.
The flaw maps directly to CWE-284 Access Control Bypass, which specifically addresses situations where systems fail to properly enforce access controls after initial authorization has been granted. From an ATT&CK framework perspective, this vulnerability corresponds to techniques involving privilege escalation and persistence mechanisms, as attackers can maintain access beyond their intended privileges through the continued validity of revoked tokens. The issue also relates to credential exposure and lateral movement tactics since compromised tokens can be used to access additional resources within the email ecosystem.
Security practitioners should immediately implement mitigations including updating to patched versions of Cyrus IMAPD where this vulnerability has been addressed, implementing monitoring for suspicious URLAUTH token usage patterns, and conducting thorough audits of existing URLAUTH tokens to identify potentially compromised sessions. Additionally, administrators should review and tighten access control policies around authorizer assignments and establish more frequent token rotation schedules to minimize the window of opportunity for exploitation. The vulnerability underscores the critical importance of proper session management and authorization state validation in secure system implementations.