PatchSiren cyber security CVE debrief
CVE-2026-47086 cyrusimap CVE debrief
CVE-2026-47086 is a vulnerability in cyrus-imapd, part of Cyrus IMAP, that allows authenticated users to bypass Access Control Lists (ACLs). The issue arises from the GENURLAUTH command, which can be used to mint URLAUTH tokens for any mailbox a user can name, even if they lack read access to it. This could enable users to read mail from mailboxes they shouldn't have access to, potentially leading to unauthorized information disclosure.
- Vendor
- cyrusimap
- Product
- Cyrus IMAP
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
System administrators and security professionals managing Cyrus IMAP servers should be aware of this vulnerability. Although the CVSS score is 3.5 (Low severity), the potential impact on data confidentiality could be significant in certain contexts, especially in environments where mailbox access is tightly controlled.
Technical summary
The vulnerability exists in the GENURLAUTH command of cyrus-imapd in Cyrus IMAP through version 3.12.2. An authenticated user can exploit this by generating a URLAUTH token for any mailbox, regardless of their permissions. This token could then be used to access the mailbox, potentially allowing unauthorized reading of emails. The issue arises because the GENURLAUTH command does not properly enforce Access Control Lists (ACLs), enabling users to bypass normal access restrictions. This could lead to targeted attacks for information gathering or privilege escalation in environments where mailbox access is tightly controlled.
Defensive priority
Medium. While the CVSS score is low, the nature of the vulnerability could lead to targeted attacks for information gathering or privilege escalation.
Recommended defensive actions
- Immediately upgrade to Cyrus IMAP version 3.12.3 or later, which presumably fixes this issue.
- Review and restrict access to the GENURLAUTH command in your IMAP server configuration.
- Monitor for any suspicious use of URLAUTH tokens in your IMAP server logs.
- Consider implementing additional logging and monitoring for mailbox access patterns.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record and NVD entry provide initial details about the vulnerability. However, specific technical details about the exploitability and potential mitigations are limited in the provided sources. Further investigation into Cyrus IMAP server configurations and potential compensating controls may be necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:49.253Z and has not been modified since then.