CVE-2026-47082
Received
Received - Intake
Vacation :fcc ACL Bypass in Cyrus IMAP
Vulnerability report for CVE-2026-47082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-16
Last updated on: 2026-07-16
Assigner: MITRE
Description
Description
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyrus_imapd | cyrus_imapd | 3.12.2 |
| cyrus | imapd | 3.12.2 |
| cyrus | imapd | 3.12.3 |
| cyrus | imapd | 3.13 |
| cyrus | imapd | 3.10 |
| cyrus | imapd | 3.8 |
| cyrus | imapd | 3.6 |
| cyrus | imapd | 3.4 |
| cyrus | imapd | 3.2 |
| cyrus | imapd | 3.0 |
| cyrus | imapd | 2.5 |
| cyrus | imapd | 2.0 |
| cyrus | imapd | 2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |