Cyrus IMAP 3.10.3 Release Notes

Download from GitHub:

Changes since 3.10.2

Security fixes

  • CVE-2026-47084 LOCALDELETE bypassed ACL checks

    An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.

    Reported by: Michael Lynch (mtlynch.io)

  • CVE-2026-47086 GENURLAUTH issued tokens bypassing ACLs

    Any authenticated user could mint a URLAUTH token (via the GENURLAUTH command) for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes despite having no granted permissions.

    Reported by: Matthew Horsfall

  • CVE-2026-47087 URLAUTH does not honor revoked authorizer access

    A URLAUTH URL minted while the authorizer had access continued to work after that access was revoked.

    Reported by: Matthew Horsfall

  • CVE-2026-47081 XAPPLEPUSHSERVICE folder existence oracle and push hijack

    An authenticated IMAP user could probe for the existence of arbitrary mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and then create Apple Push Notification Service notifications for new mail in those mailboxes to their own APNS device. This did not leak any data about the content of mailboxes. Instead, a "mailbox has changed" notice would be pushed when the mailbox modseq changed.

    Reported by Matthew Horsfall.

  • CVE-2026-47089 LISTRIGHTS not limited to users with admin access

    An authenticated user could call IMAP LISTRIGHTS against any mailbox they could name and learn what principals had what access to it. (This action should have been restricted to users with admin access on the target mailbox.)

    Reported by: Matthew Horsfall

  • CVE-2026-47085 URLAUTH token forgery via missing mboxkey

    If an attacker knew a folder name on the victim's account for which the victim had never issued an auth URL, they could forge a working URLAUTH token by computing HMAC-SHA1 with a predictable key, allowing them read access to the mailbox.

    URLAUTH is an obscure feature, meaning that the odds of any user actually being susceptible to this attack are very low. We are unaware of any clients using URLAUTH.

    Reported by: Matthew Horsfall

  • CVE-2026-47083 ESEARCH cross-user content oracle

    Using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching search, creating a content oracle without allowing arbitrary reads of the target's content.

    Reported by: Michael Lynch (mtlynch.io)

  • CVE-2026-47088 Heap exposure in nested MIME comment parsing

    An authenticated IMAP user could specially craft an email containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the message end in memory and read into the heap, returning the read content to the user.

    Reported by: Michael Lynch (mtlynch.io).

  • CVE-2026-47082 Vacation "fcc" skips destination-mailbox ACL

    A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.

    Reported by: Michael Lynch (mtlynch.io)

Build changes

  • Fixed: Issue #5262: fix cunit+valgrind libtool invocation

  • Fixed: Issue #5512: fix cunit stuff to properly integrate with autotools

  • Fixed: Issue #5646: update cunit valgrind suppressions

  • Fixed: Issue #5733: unused parameter warning in cyrdbbench

  • Fixed: Issue #5727: consolidate cassandane 'other' configuration sections

  • Fixed: Issue #5730: add --with-zoneinfo-dir configure option to set zoneinfo_dir at compile time

  • Fixed: Issue #5750: add min/max other version cassandane magic

  • Fixed: Issue #5313: update cassandane valgrind suppressions

Bug fixes

  • Fixed: Issue #5436: fix leaks in imap SELECT and SETQUOTA

  • Fixed: Issue #5437: don't leak cached TLS sessions

  • Fixed: Issue #5602: fix proxy of LIST (SUBSCRIBED) to backends

  • Fixed: Issue #3562: squat crash attempting to search flags (thanks Sven Wegener)

  • Fixed: Issue #4787: VANISHED not working with cyrus proxy

  • Fixed: Issue #5908: auditlog rename of UUID mailboxes

  • Fixed: Issue #6022: various memory leaks