An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 16 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox. | |
| First Time appeared |
Cyrusimap
Cyrusimap cyrus Imap |
|
| Weaknesses | CWE-863 | |
| CPEs | cpe:2.3:a:cyrusimap:cyrus_imap:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Cyrusimap
Cyrusimap cyrus Imap |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-07-16T18:49:27.734Z
Reserved: 2026-05-18T00:00:00.000Z
Link: CVE-2026-47082
Updated: 2026-07-16T18:49:24.502Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses