Cyrus IMAP 3.8.7 Release Notes
******************************

Download from GitHub:

   * https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-
     imapd-3.8.7/cyrus-imapd-3.8.7.tar.gz

   * https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-
     imapd-3.8.7/cyrus-imapd-3.8.7.tar.gz.sig


Changes since 3.8.6
===================


Security fixes
--------------

* CVE-2026-47084 LOCALDELETE bypassed ACL checks

  An authenticated but non-admin user could invoke the admin-only
  LOCALDELETE IMAP command and delete mailboxes for which they had no
  permissions.

  Reported by: Michael Lynch (mtlynch.io)

* CVE-2026-47086 GENURLAUTH issued tokens bypassing ACLs

  Any authenticated user could mint a URLAUTH token (via the
  GENURLAUTH command) for any mailbox they could name, even without
  read access on it. This would allow reading mail from mailboxes
  despite having no granted permissions.

  Reported by: Matthew Horsfall

* CVE-2026-47087 URLAUTH does not honor revoked authorizer access

  A URLAUTH URL minted while the authorizer had access continued to
  work after that access was revoked.

  Reported by: Matthew Horsfall

* CVE-2026-47081 XAPPLEPUSHSERVICE folder existence oracle and push
  hijack

  An authenticated IMAP user could probe for the existence of
  arbitrary mailboxes on other users' accounts via the
  XAPPLEPUSHSERVICE command and then create Apple Push Notification
  Service notifications for new mail in those mailboxes to their own
  APNS device.  This did not leak any data about the content of
  mailboxes.  Instead, a "mailbox has changed" notice would be pushed
  when the mailbox modseq changed.

  Reported by Matthew Horsfall.

* CVE-2026-47089 LISTRIGHTS not limited to users with admin access

  An authenticated user could call IMAP LISTRIGHTS against any mailbox
  they could name and learn what principals had what access to it.
  (This action should have been restricted to users with admin access
  on the target mailbox.)

  Reported by: Matthew Horsfall

* CVE-2026-47085 URLAUTH token forgery via missing mboxkey

  If an attacker knew a folder name on the victim's account for which
  the victim had never issued an auth URL, they could forge a working
  URLAUTH token by computing HMAC-SHA1 with a predictable key,
  allowing them read access to the mailbox.

  URLAUTH is an obscure feature, meaning that the odds of any user
  actually being susceptible to this attack are very low.  We are
  unaware of any clients using URLAUTH.

  Reported by: Matthew Horsfall

* CVE-2026-47083 ESEARCH cross-user content oracle

  Using the ESEARCH command, an authenticated IMAP user could
  enumerate folder names under any account they could name.  Search
  would return UIDs of messages matching search, creating a content
  oracle without allowing arbitrary reads of the target's content.

  Reported by: Michael Lynch (mtlynch.io)

* CVE-2026-47088 Heap exposure in nested MIME comment parsing

  An authenticated IMAP user could specially craft an email containing
  an RFC 822 comment ending with a backslash.  When parsing the
  message, the server would read past the message end in memory and
  read into the heap, returning the read content to the user.

  Reported by: Michael Lynch (mtlynch.io).

* CVE-2026-47082 Vacation "fcc" skips destination-mailbox ACL

  A user whose vacation Sieve script used :fcc (to save a copy of the
  sent message) could deliver vacation auto-reply copies into any
  mailbox the script could name, regardless of whether the script
  owner had insert permissions on the destination mailbox.

  Reported by: Michael Lynch (mtlynch.io)


Build changes
-------------

* Fixed: Issue #4566: treat valgrind errors during unit tests as
  failures

* Fixed: Issue #5262: fix cunit+valgrind libtool invocation

* Fixed: Issue #5313: update cassandane valgrind suppressions

* Fixed: Issue #5646: update cunit valgrind suppressions

* Fixed: Issue #5512: fix cunit stuff to properly integrate with
  autotools

* Fixed: Issue #5733: unused parameter warning in cyrdbbench

* Fixed: Issue #5727: consolidate cassandane 'other' configuration
  sections

* Fixed: Issue #5730: add "--with-zoneinfo-dir" configure option to
  set "zoneinfo_dir" at compile time

* Fixed: Issue #5750: add min/max other version cassandane magic


Bug fixes
---------

* Fixed: Issue #5437: don't leak cached TLS sessions

* Fixed: Issue #5602: fix proxy of LIST (SUBSCRIBED) to backends

* Fixed: Issue #3562: squat crash attempting to search flags (thanks
  Sven Wegener)

* Fixed: Issue #5908: auditlog rename of UUID mailboxes

* Fixed: Issue #6022: various memory leaks
