PatchSiren cyber security CVE debrief
CVE-2026-47089 cyrusimap CVE debrief
CVE-2026-47089 is a vulnerability in Cyrus IMAP through 3.12.2 where LISTRIGHTS is not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. This action should have been restricted to users with admin access on the target mailbox. The vulnerability exists due to inadequate access controls in the LISTRIGHTS function, potentially leading to unauthorized information disclosure about mailbox access permissions. Administrators and users of Cyrus IMAP servers, especially those with multi-user environments, should be aware of this vulnerability. It could allow unauthorized information disclosure about mailbox access permissions. Limited information is available about the specific details of the vulnerability and its potential impact, so verification and defensive measures are necessary.
- Vendor
- cyrusimap
- Product
- Cyrus IMAP
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of Cyrus IMAP servers, especially those with multi-user environments, should be aware of this vulnerability. It could allow unauthorized information disclosure about mailbox access permissions.
Technical summary
The vulnerability exists in the LISTRIGHTS function of Cyrus IMAP through version 3.12.2. Normally, this function should be restricted to users with administrative access to the target mailbox. However, due to this vulnerability, any authenticated user can use LISTRIGHTS to discover the access rights of various principals to any mailbox they can name. This could potentially lead to information disclosure about mailbox access permissions.
Defensive priority
Medium priority should be given to patching this vulnerability, especially in environments where mailbox access control is crucial.
Recommended defensive actions
- Apply the vendor's official patch or upgrade to a version of Cyrus IMAP that fixes this issue.
- Restrict access to the LISTRIGHTS function to only administrative users.
- Monitor and audit IMAP server logs for unusual LISTRIGHTS usage patterns.
- Consider implementing additional access controls or compensating controls to limit the potential damage.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-16T19:16:49.647Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the specific details of the vulnerability and its potential impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:49.647Z and has not been modified since then. The NVD entry is currently Received.