PatchSiren cyber security CVE debrief
CVE-2026-47084 cyrusimap CVE debrief
An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions due to a LOCALDELETE ACL check bypass in Cyrus IMAP through 3.12.2. This issue allows unauthorized mailbox deletion, potentially leading to data loss. The vulnerability has a CVSS score of 6.5, indicating a medium severity level. Users of Cyrus IMAP through version 3.12.2 should verify their installations and ensure proper configuration of ACL checks for the LOCALDELETE command to mitigate this risk.
- Vendor
- cyrusimap
- Product
- Cyrus IMAP
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Cyrus IMAP through version 3.12.2 should verify their installations and ensure proper configuration of ACL checks for the LOCALDELETE command. System administrators and security teams responsible for managing Cyrus IMAP deployments need to assess their exposure to this vulnerability and take appropriate mitigation actions. This includes reviewing current ACL settings, updating to the latest version if available, and implementing compensating controls such as logging and auditing of mailbox deletion actions.
Technical summary
The LOCALDELETE command in Cyrus IMAP through 3.12.2 was found to bypass Access Control List (ACL) checks. This vulnerability allows an authenticated user, who is not an administrator, to delete mailboxes for which they do not have permissions by invoking the admin-only LOCALDELETE IMAP command. The issue arises from a flawed ACL check in the LOCALDELETE command implementation. Affected users should review and enforce proper ACL configurations for the LOCALDELETE command and consider updating to the latest version of Cyrus IMAP if available.
Defensive priority
Medium priority due to the CVSS score of 6.5 and the potential for data loss. Organizations should prioritize mitigation efforts based on their specific risk profile and the potential impact of unauthorized mailbox deletion.
Recommended defensive actions
- Verify and update Cyrus IMAP to the latest version if available.
- Review and enforce proper ACL configurations for the LOCALDELETE command.
- Monitor for and restrict use of the LOCALDELETE command by non-admin users.
- Implement compensating controls such as logging and auditing of mailbox deletion actions.
- Perform regular security audits to identify and address potential vulnerabilities.
- Develop and implement incident response plans for potential mailbox deletion incidents.
- Provide training to users and administrators on the risks associated with this vulnerability and best practices for secure configuration and use of Cyrus IMAP.
Evidence notes
The CVE record was published on 2026-07-16T19:16:48.987Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus and may not reflect the full scope of affected systems or potential impacts. Users should verify their installations and configurations to ensure proper protection.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:48.987Z and has not been modified since then. The NVD entry is currently in the 'Received' status.