PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47085 cyrusimap CVE debrief

A MEDIUM severity vulnerability was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The issue allows for URLAUTH token forgery via a missing mboxkey. An attacker who knows a folder name on the victim's account for which the victim has never issued an auth URL can forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, granting them read access to the mailbox. However, as URLAUTH is an obscure feature, the odds of any user being susceptible to this attack are very low.

Vendor
cyrusimap
Product
Cyrus IMAP
CVSS
MEDIUM 4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of Cyrus IMAP servers, especially those who have not upgraded to version 3.12.3 or later, should be aware of this vulnerability. Although the attack is complex and requires specific knowledge of the victim's account, it is essential to take precautions to prevent potential exploitation.

Technical summary

The vulnerability exists in the cyrus-imapd component of Cyrus IMAP through version 3.12.2. The URLAUTH feature, which is not commonly used, allows an attacker to forge a valid authentication token if they know a folder name that the victim has not previously authenticated to. This is achieved by calculating an HMAC-SHA1 value using a predictable key. Successful exploitation grants the attacker read access to the mailbox.

Defensive priority

Medium priority should be given to patching or mitigating this vulnerability, especially in environments where the URLAUTH feature is used or where sensitive mailbox data is stored.

Recommended defensive actions

  • Apply the patch or upgrade to Cyrus IMAP version 3.12.3 or later.
  • Review and limit the use of the URLAUTH feature to necessary accounts and users.
  • Monitor mailbox access and authentication logs for suspicious activity.
  • Consider implementing additional security measures, such as multi-factor authentication for mailbox access.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-16T19:16:49.120Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vulnerability's impact and exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:49.120Z and has not been modified since then. The NVD entry is currently Received.