PatchSiren cyber security CVE debrief
CVE-2026-47081 cyrusimap CVE debrief
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This issue affects multi-user environments, particularly those with shared mailboxes or complex access controls. The vulnerability allows for potential information leaks about mailbox existence and could be used to create unsolicited notifications.
- Vendor
- cyrusimap
- Product
- Cyrus IMAP
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
System administrators and security teams responsible for Cyrus IMAP servers, especially those with multi-user environments and shared mailboxes or complex access controls, should be aware of this vulnerability. They should assess their exposure, review access controls, and prepare for potential updates or mitigations.
Technical summary
The vulnerability allows an authenticated IMAP user to probe for the existence of arbitrary mailboxes on other users' accounts and create push notifications for new mail in those mailboxes through the XAPPLEPUSHSERVICE command. This acts as a folder existence oracle and enables push hijacking, potentially leading to information leaks about mailbox existence and unsolicited notifications in multi-user environments.
Defensive priority
Low-Moderate
Recommended defensive actions
- Inventory Cyrus IMAP servers and verify version 3.12.2 or earlier
- Restrict XAPPLEPUSHSERVICE command access to trusted users
- Monitor for suspicious IMAP activity
- Apply patches or updates when available
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T19:16:48.573Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the supplied source corpus and may not reflect the current status of the vulnerability. Defenders should verify the current status and affected scope with the vendor or through other trusted sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:48.573Z and has not been modified since then. The NVD entry is currently Received.