Cyrus IMAP 3.12.3 Release Notes
Download from GitHub:
Changes since 3.12.2
Security fixes
CVE-2026-47084 LOCALDELETE bypassed ACL checks
An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.
Reported by: Michael Lynch (mtlynch.io)
CVE-2026-47086 GENURLAUTH issued tokens bypassing ACLs
Any authenticated user could mint a URLAUTH token (via the GENURLAUTH command) for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes despite having no granted permissions.
Reported by: Matthew Horsfall
CVE-2026-47087 URLAUTH does not honor revoked authorizer access
A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.
Reported by: Matthew Horsfall
CVE-2026-47081 XAPPLEPUSHSERVICE folder existence oracle and push hijack
An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.
Reported by Matthew Horsfall.
CVE-2026-47089 LISTRIGHTS not limited to users with admin access
An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. (This action should have been restricted to users with admin access on the target mailbox.)
Reported by: Matthew Horsfall
CVE-2026-47085 URLAUTH token forgery via missing mboxkey
If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing HMAC-SHA1 with a predictable key, allowing them read access to the mailbox.
URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. We are unaware of any clients using URLAUTH.
Reported by: Matthew Horsfall
CVE-2026-47083 ESEARCH cross-user content oracle
Using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching search, creating a content oracle without allowing arbitrary reads of the target's content.
Reported by: Michael Lynch (mtlynch.io)
CVE-2026-47088 Heap exposure in nested MIME comment parsing
An authenticated IMAP user could specially craft an email containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the message end in memory and read into the heap, returning the read content to the user.
Reported by: Michael Lynch (mtlynch.io).
CVE-2026-47082 Vacation "fcc" skips destination-mailbox ACL
A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.
Reported by: Michael Lynch (mtlynch.io)
Build changes
Fixed: Issue #5262: fix cunit+valgrind libtool invocation
Fixed: Issue #5646: update cunit valgrind suppressions
Bug fixes
Fixed: Issue #5908: auditlog rename of UUID mailboxes
Fixed: Issue #5922: prohibit APPEND/COPY/MOVE into non-IMAP mailboxes
Fixed: Issue #5437: don't leak cached TLS sessions
Fixed: Issue #5436: fix leaks in imap SELECT and SETQUOTA
Fixed: Issue #6022: various memory leaks