CVE-2026-47085
Received Received - Intake

URLAUTH Token Forgery in Cyrus IMAP

Vulnerability report for CVE-2026-47085, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, giving them read access to the mailbox. (URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. Perhaps no public clients use URLAUTH.)

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cyrus imapd 3.12.2
cyrus-imapd cyrus_imapd 3.12.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Cyrus IMAP through 3.12.2 allows an attacker to forge a URLAUTH token by exploiting a missing mboxkey. If the attacker knows a folder name on a victim's account that the victim never used with auth URL, they can compute an HMAC-SHA1 value with a predictable key to create a valid token, gaining unauthorized read access to the mailbox.

Detection Guidance

Detection may involve checking for unauthorized URLAUTH token usage or suspicious access to mailboxes. Since URLAUTH is an obscure feature, review Cyrus IMAP logs for unusual auth URL requests or access patterns. No specific commands are provided in the context.

Impact Analysis

An attacker could gain unauthorized read access to your email folders if they know a folder name you never used with auth URL. However, the URLAUTH feature is obscure and rarely used, making the likelihood of exploitation very low.

Mitigation Strategies

Upgrade to the latest version of cyrus-imapd (3.12.2 or later) to address the missing mboxkey issue. If upgrading is not immediately possible, disable the URLAUTH feature in the configuration to prevent token forgery attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart