PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47081 cyrusimap CVE debrief

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This issue affects multi-user environments, particularly those with shared mailboxes or complex access controls. The vulnerability allows for potential information leaks about mailbox existence and could be used to create unsolicited notifications.

Vendor
cyrusimap
Product
Cyrus IMAP
CVSS
LOW 3.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

System administrators and security teams responsible for Cyrus IMAP servers, especially those with multi-user environments and shared mailboxes or complex access controls, should be aware of this vulnerability. They should assess their exposure, review access controls, and prepare for potential updates or mitigations.

Technical summary

The vulnerability allows an authenticated IMAP user to probe for the existence of arbitrary mailboxes on other users' accounts and create push notifications for new mail in those mailboxes through the XAPPLEPUSHSERVICE command. This acts as a folder existence oracle and enables push hijacking, potentially leading to information leaks about mailbox existence and unsolicited notifications in multi-user environments.

Defensive priority

Low-Moderate

Recommended defensive actions

  • Inventory Cyrus IMAP servers and verify version 3.12.2 or earlier
  • Restrict XAPPLEPUSHSERVICE command access to trusted users
  • Monitor for suspicious IMAP activity
  • Apply patches or updates when available
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T19:16:48.573Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the supplied source corpus and may not reflect the current status of the vulnerability. Defenders should verify the current status and affected scope with the vendor or through other trusted sources.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:48.573Z and has not been modified since then. The NVD entry is currently Received.