CVE-2026-47081
Received Received - Intake

XAPPLEPUSHSERVICE Folder Existence Oracle in Cyrus IMAP

Vulnerability report for CVE-2026-47081, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an XAPPLEPUSHSERVICE folder existence oracle and push hijack. An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
cyrus_imapd cyrus_imapd 3.12.2
cyrus imap 3.12.2
cyrus imap 3.12.3
cyrus imap 3.13

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Cyrus IMAP through 3.12.2 allows an authenticated user to check if arbitrary mailboxes exist on other users' accounts using the XAPPLEPUSHSERVICE command. They can then set up push notifications for those mailboxes to their own device without accessing the actual email content. The system only indicates when a mailbox's modification sequence changes, not the content itself.

Impact Analysis

An attacker could use this to determine which mailboxes exist on a server, potentially revealing information about user accounts or system structure. While no email content is exposed, the ability to monitor mailbox activity changes could aid in further attacks or reconnaissance.

Mitigation Strategies

Upgrade cyrus-imapd to version 3.12.2 or later to address the XAPPLEPUSHSERVICE folder existence oracle and push hijack vulnerability. Ensure only authenticated users can access IMAP services and monitor for unusual push notification activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart