PatchSiren

cyrusimap CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM cyrusimap CVE published 2026-07-16

CVE-2026-47085

A MEDIUM severity vulnerability was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The issue allows for URLAUTH token forgery via a missing mboxkey. An attacker who knows a folder name on the victim's account for which the victim has never issued an auth URL can forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, granting them read access to the mailbox. However, [truncated]