CVE-2019-18928
Description
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cyrus IMAP versions prior to 2.5.14 and 3.0.12 allow privilege escalation via HTTP requests inheriting authentication context from previous requests on the same connection.
Vulnerability
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 contain a privilege escalation vulnerability in the HTTP service. An HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection, allowing an unauthenticated request to inherit authentication from a prior authenticated request on the same connection [1].
Exploitation
An attacker can exploit this vulnerability by sending an unauthenticated HTTP request on a persistent connection that previously carried an authenticated HTTP request. The server erroneously associates the new request with the authentication context of the earlier request, effectively treating the attacker as an authenticated user [1].
Impact
Successful exploitation allows an attacker to perform actions as an authenticated user, potentially accessing or modifying mail data, escalating privileges to the level of the previous authenticated session. This can lead to unauthorized information disclosure, data manipulation, or further compromise of the IMAP server [1].
Mitigation
The vulnerability is fixed in Cyrus IMAP 2.5.14 and 3.0.12 [1]. Users should upgrade to these versions or later. No workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.5.x before 2.5.14, 3.x before 3.0.12
Patches
21 file changed · +7 −7
docsrc/conf.py+7 −7 modified@@ -71,9 +71,9 @@ # built documents. # # The short X.Y version. -version = '2.5.13' +version = '2.5.14' # The full version, including alpha/beta/rc tags. -release = '2.5.13' +release = '2.5.14' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -1063,11 +1063,11 @@ #epub_use_index = True rst_prolog = """ -.. |imap_last_stable_version| replace:: 2.5.13 +.. |imap_last_stable_version| replace:: 2.5.14 .. |imap_last_stable_branch| replace:: `cyrus-imapd-2.5` -.. |imap_last_stable_next_version| replace:: 2.5.13 + patches -.. |imap_current_stable_version| replace:: 3.0.11 -.. |imap_current_stable_next_version| replace:: 3.0.11 + patches +.. |imap_last_stable_next_version| replace:: 2.5.14 + patches +.. |imap_current_stable_version| replace:: 3.0.12 +.. |imap_current_stable_next_version| replace:: 3.0.12 + patches .. |imap_current_stable_branch| replace:: `cyrus-imapd-3.0` .. |imap_latest_development_version| replace:: 3.1.7 .. |imap_latest_development_branch| replace:: master @@ -1082,7 +1082,7 @@ .. |sasl_current_stable_version| replace:: 2.1.27 .. |imap_stable_release_notes| raw:: html - <a href="3.0/x/3.0.11.html">3.0.11</a> + <a href="3.0/x/3.0.12.html">3.0.12</a> .. |imap_development_release_notes| raw:: html
1 file changed · +5 −5
docsrc/conf.py+5 −5 modified@@ -97,9 +97,9 @@ # May need to also update toplevel index.rst to point to other versions. # # The short X.Y version. -version = '3.0.11' +version = '3.0.12' # The full version, including alpha/beta/rc tags. -release = '3.0.11 (stable)' +release = '3.0.12 (stable)' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -429,9 +429,9 @@ # When this is updated, you may also need to update the version and release # definitions listed above to stay up to date. rst_prolog = """ -.. |imap_last_stable_version| replace:: 2.5.13 +.. |imap_last_stable_version| replace:: 2.5.14 .. |imap_last_stable_branch| replace:: `cyrus-imapd-2.5` -.. |imap_current_stable_version| replace:: 3.0.11 +.. |imap_current_stable_version| replace:: 3.0.12 .. |imap_current_stable_branch| replace:: `cyrus-imapd-3.0` .. |imap_latest_development_version| replace:: 3.1.7 .. |imap_latest_development_branch| replace:: master @@ -446,7 +446,7 @@ .. |sasl_current_stable_version| replace:: 2.1.27 .. |imap_stable_release_notes| raw:: html - <a href="3.0/x/3.0.11.html">3.0.11</a> + <a href="3.0/x/3.0.12.html">3.0.12</a> .. |imap_development_release_notes| raw:: html
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/mitrevendor-advisoryx_refsource_FEDORA
- lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlmitremailing-listx_refsource_MLIST
- www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.htmlmitrex_refsource_MISC
- www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.