CVE-2026-47087
Received Received - Intake

URLAUTH Authorization Bypass in Cyrus IMAP

Vulnerability report for CVE-2026-47087, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH does not honor revoked authorizer access. A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cyrus_imapd cyrus_imapd 3.12.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in cyrus-imapd, a Cyrus IMAP server. It involves URLAUTH, a feature that allows users to create URLs for accessing email messages. The issue is that URLAUTH URLs created while a user had access continue to work even after their access is revoked. This means unauthorized users could still access restricted emails using old URLs.

Impact Analysis

If you use cyrus-imapd, this vulnerability could allow unauthorized individuals to access emails they should no longer have permission to view. This could lead to data breaches, privacy violations, or unauthorized disclosure of sensitive information.

Compliance Impact

This vulnerability could violate data protection regulations like GDPR or HIPAA by allowing unauthorized access to personal or health information. Organizations using cyrus-imapd may fail to meet compliance requirements for data access controls and user permissions.

Mitigation Strategies

Upgrade cyrus-imapd to a version beyond 3.12.2 where the URLAUTH issue has been fixed. Review and revoke any active URLAUTH URLs if an upgrade is not immediately possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart