MEDIUM
cyrusimap
CVE published 2026-07-16
CVE-2026-47085
A MEDIUM severity vulnerability was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The issue allows for URLAUTH token forgery via a missing mboxkey. An attacker who knows a folder name on the victim's account for which the victim has never issued an auth URL can forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, granting them read access to the mailbox. However, [truncated]