CVE-2026-47089 in Cyrus IMAP
Summary
by MITRE • 07/16/2026
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. LISTRIGHTS os not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. (This action should have been restricted to users with admin access on the target mailbox.)
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability resides in the Cyrus IMAP server software version 3.12.2 and earlier, where the LISTRIGHTS command fails to properly enforce access controls. The flaw allows any authenticated user to query the access rights of any mailbox they can name, regardless of whether they possess administrative privileges on that specific mailbox. This represents a significant privilege escalation issue within the IMAP protocol implementation.
The technical nature of this vulnerability stems from improper authorization checks within the LISTRIGHTS command implementation. Under normal circumstances, this command should only be accessible to users with administrative rights on the target mailbox, as it reveals detailed access control information about mailbox permissions. However, the current implementation lacks proper validation of user privileges before executing the access rights lookup, creating an information disclosure vulnerability that violates fundamental security principles.
Operationally, this vulnerability enables malicious authenticated users to gather comprehensive intelligence about mailbox access controls across the IMAP server. Attackers could systematically enumerate access rights for multiple mailboxes, potentially identifying administrative accounts, sensitive mailboxes, or those with elevated privileges. This reconnaissance capability significantly increases the attack surface and could facilitate further exploitation attempts such as privilege escalation or targeted attacks against specific mailbox owners.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege. From an ATT&CK perspective, this maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers could leverage this information to craft more sophisticated social engineering campaigns or identify potential targets for further compromise. The lack of proper authorization enforcement creates a persistent security gap that remains exploitable until addressed through proper access control implementation.
Mitigation strategies should focus on implementing strict access controls for the LISTRIGHTS command, ensuring that only users with appropriate administrative privileges can execute this operation against target mailboxes. System administrators should immediately upgrade to versions of Cyrus IMAP that address this vulnerability, as no effective workarounds exist for the current implementation. Additionally, monitoring and logging of LISTRIGHTS operations should be implemented to detect unauthorized access attempts and establish baseline behavior for security analytics.