VYPR
advisoryPublished Jul 17, 2026· Updated Jul 18, 2026· 1 source

Cyrus IMAP: Nine Access Control and Auth Bypass Vulnerabilities Disclosed Together

Key findings • Nine vulnerabilities in Cyrus IMAP through 3.12.2 disclosed on July 17, 2026. • Multiple flaws allow authenticated users to bypass ACLs and access unauthorized mailboxes or dat…

Key findings

  • Nine vulnerabilities in Cyrus IMAP through 3.12.2 disclosed on July 17, 2026.
  • Multiple flaws allow authenticated users to bypass ACLs and access unauthorized mailboxes or data.
  • URLAUTH and GENURLAUTH mechanisms are susceptible to token forgery and access control bypasses.
  • Issues include mailbox deletion bypass, heap exposure, and cross-user content oracles.
  • Affected versions are Cyrus IMAP through 3.12.2; patching is strongly recommended.

On July 17, 2026, a batch of nine vulnerabilities was disclosed for Cyrus IMAP through version 3.12.2. These vulnerabilities, all disclosed on the same day, impact various aspects of the mail server's functionality, including access control, authentication, and message handling. The disclosures highlight several weaknesses in how Cyrus IMAP processes commands and manages user permissions, potentially allowing authenticated users to gain unauthorized access to mailboxes or sensitive information.

Several vulnerabilities revolve around the URLAUTH mechanism and its associated commands. CVE-2026-47085 describes a URLAUTH token forgery flaw due to a missing mboxkey, enabling attackers to potentially forge valid authentication tokens. Similarly, CVE-2026-47087 indicates that URLAUTH does not properly honor revoked authorizer access, meaning a URL valid at one point could remain usable even after permissions are changed. Furthermore, CVE-2026-47086 points out that GENURLAUTH-issued tokens can bypass Access Control Lists (ACLs), allowing any authenticated user to mint tokens for mailboxes they don't have access to, potentially leading to unauthorized reading of emails.

Other vulnerabilities impact mailbox management and access control. CVE-2026-47084 details how the LOCALDELETE command bypasses ACL checks, permitting authenticated but non-administrator users to delete mailboxes they do not have permissions for. The vacation feature's "fcc" (folder copy) functionality is also affected by CVE-2026-47082, which skips destination-mailbox ACLs, allowing vacation auto-replies to be saved in any mailbox specified by a user's Sieve script, regardless of permissions. Additionally, CVE-2026-47089 reveals that LISTRIGHTS is not limited to administrative users, enabling authenticated users to query access permissions for any mailbox they can name.

Memory and information disclosure issues are also present in this batch. CVE-2026-47088 describes a heap exposure in nested MIME comment parsing, where a crafted email could cause the server to read past the message's end in memory. CVE-2026-47081 highlights an XAPPLEPUSHSERVICE folder existence oracle and push hijack, allowing authenticated users to probe for other users' mailboxes and potentially hijack push notifications. Finally, CVE-2026-47083 details an ESEARCH cross-user content oracle, enabling authenticated users to enumerate folder names and search message content across different accounts.

The disclosed vulnerabilities affect Cyrus IMAP through version 3.12.2. Users are advised to update to a patched version as soon as possible to mitigate these security risks. The consistent disclosure date suggests a coordinated release of findings, emphasizing the importance of prompt patching for maintaining the security and integrity of email services.

These vulnerabilities collectively underscore the need for rigorous security auditing of complex mail server software. The range of issues, from authentication bypasses to information disclosure, presents a significant risk to organizations relying on Cyrus IMAP for their email infrastructure. Prompt application of patches is crucial to prevent potential exploitation and maintain the confidentiality and availability of user data.

The impact of these vulnerabilities could range from unauthorized access to sensitive emails to denial-of-service conditions or the exposure of user mailbox structures. Administrators should prioritize updating their Cyrus IMAP installations to the latest secure versions.

The batch of vulnerabilities disclosed on July 17, 2026, affects Cyrus IMAP through version 3.12.2. The issues include bypasses of access control lists, token forgery, information disclosure, and improper handling of user permissions across various commands and features.

The affected versions are Cyrus IMAP through 3.12.2. Users should update to a version that addresses these vulnerabilities.

The disclosure of these nine CVEs together highlights critical security weaknesses within Cyrus IMAP, particularly concerning access control and authentication mechanisms. The vulnerabilities allow authenticated users to perform actions beyond their intended privileges, such as deleting mailboxes, accessing unauthorized emails, and enumerating folder structures.

The prompt patching of these vulnerabilities is essential for organizations using Cyrus IMAP to prevent potential data breaches and maintain the integrity of their email systems.

The specific vulnerabilities include:

It is imperative for administrators to review their Cyrus IMAP configurations and apply necessary updates to secure their environments against these threats. The coordinated disclosure of these issues emphasizes a significant security event for the product.

Synthesized by Vypr AI