CVE-2026-47085
Last modified
CVE-2026-47085 is a medium-severity vulnerability rated 4/10 on the CVSS scale. An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. EPSS estimates a 0.19% chance of exploitation in the next 30 days.
Description
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. URLAUTH token forgery can occur via a missing mboxkey. If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing an HMAC-SHA1 value with a predictable key, giving them read access to the mailbox. (URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. Perhaps no public clients use URLAUTH.)
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| cyrusimap | Cyrus IMAP | < 3.12.3 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-47085?
How severe is CVE-2026-47085?
How do I fix CVE-2026-47085?
Related CVEs from 2026
- CVE-2026-47077Allocation of Resources Without Limits or Throttling vulnera…7.5
- CVE-2026-4708Incorrect boundary conditions in the Graphics component. Thi…7.5
- CVE-2026-47081An issue was discovered in cyrus-imapd in Cyrus IMAP through…3.1
- CVE-2026-47082An issue was discovered in cyrus-imapd in Cyrus IMAP through…5.4
- CVE-2026-47083An issue was discovered in cyrus-imapd in Cyrus IMAP through…4.3
- CVE-2026-47084An issue was discovered in cyrus-imapd in Cyrus IMAP through…6.5
- CVE-2026-47086An issue was discovered in cyrus-imapd in Cyrus IMAP through…3.5
- CVE-2026-47087An issue was discovered in cyrus-imapd in Cyrus IMAP through…3.5
- CVE-2026-47088An issue was discovered in cyrus-imapd in Cyrus IMAP through…3.1
- CVE-2026-47089An issue was discovered in cyrus-imapd in Cyrus IMAP through…4.3
- CVE-2026-4709Incorrect boundary conditions in the Audio/Video: GMP compon…7.5
- CVE-2026-47090Claude HUD through 0.0.12, patched in commit 234d9aa, constr…4.6
Are you affected by CVE-2026-47085?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
