CVE-2026-47082
Received Received - Intake

Vacation :fcc ACL Bypass in Cyrus IMAP

Vulnerability report for CVE-2026-47082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 13 associated CPEs
Vendor Product Version / Range
cyrus_imapd cyrus_imapd 3.12.2
cyrus imapd 3.12.2
cyrus imapd 3.12.3
cyrus imapd 3.13
cyrus imapd 3.10
cyrus imapd 3.8
cyrus imapd 3.6
cyrus imapd 3.4
cyrus imapd 3.2
cyrus imapd 3.0
cyrus imapd 2.5
cyrus imapd 2.0
cyrus imapd 2.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Cyrus IMAP through 3.12.2 involves the vacation 'fcc' feature bypassing destination-mailbox ACL checks. When a user's vacation Sieve script uses :fcc to save a copy of sent messages, it can deliver auto-reply copies to any mailbox named in the script, even if the user lacks insert permissions for that mailbox.

Detection Guidance

Check Cyrus IMAP version with 'cyrus-imapd --version' or 'rpm -qa | grep cyrus-imapd' to see if it is below 3.12.3. Review Sieve vacation scripts for :fcc usage and verify destination mailbox ACLs for affected users.

Impact Analysis

An attacker with access to a user's Sieve script could exploit this to send unauthorized messages to restricted mailboxes, potentially leaking sensitive information or violating data integrity. Users may unknowingly expose auto-reply content to unintended recipients.

Compliance Impact

This vulnerability could lead to unauthorized data access or disclosure, violating GDPR's data protection principles or HIPAA's confidentiality requirements. Organizations using Cyrus IMAP may face compliance risks if exploited.

Mitigation Strategies

Upgrade to Cyrus IMAP 3.12.3 or later. Review and restrict Sieve vacation scripts to ensure :fcc destinations respect ACLs. Audit mailbox permissions for users with vacation scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart