PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47089 cyrusimap CVE debrief

CVE-2026-47089 is a vulnerability in Cyrus IMAP through 3.12.2 where LISTRIGHTS is not limited to users with admin access. An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. This action should have been restricted to users with admin access on the target mailbox. The vulnerability exists due to inadequate access controls in the LISTRIGHTS function, potentially leading to unauthorized information disclosure about mailbox access permissions. Administrators and users of Cyrus IMAP servers, especially those with multi-user environments, should be aware of this vulnerability. It could allow unauthorized information disclosure about mailbox access permissions. Limited information is available about the specific details of the vulnerability and its potential impact, so verification and defensive measures are necessary.

Vendor
cyrusimap
Product
Cyrus IMAP
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Administrators and users of Cyrus IMAP servers, especially those with multi-user environments, should be aware of this vulnerability. It could allow unauthorized information disclosure about mailbox access permissions.

Technical summary

The vulnerability exists in the LISTRIGHTS function of Cyrus IMAP through version 3.12.2. Normally, this function should be restricted to users with administrative access to the target mailbox. However, due to this vulnerability, any authenticated user can use LISTRIGHTS to discover the access rights of various principals to any mailbox they can name. This could potentially lead to information disclosure about mailbox access permissions.

Defensive priority

Medium priority should be given to patching this vulnerability, especially in environments where mailbox access control is crucial.

Recommended defensive actions

  • Apply the vendor's official patch or upgrade to a version of Cyrus IMAP that fixes this issue.
  • Restrict access to the LISTRIGHTS function to only administrative users.
  • Monitor and audit IMAP server logs for unusual LISTRIGHTS usage patterns.
  • Consider implementing additional access controls or compensating controls to limit the potential damage.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-16T19:16:49.647Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the specific details of the vulnerability and its potential impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:49.647Z and has not been modified since then. The NVD entry is currently Received.