Upstream information

CVE-2026-47082 at MITRE

Description

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc (to save a copy of the sent message) could deliver vacation auto-reply copies into any mailbox the script could name, regardless of whether the script owner had insert permissions on the destination mailbox.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
CVSS detail CNA (MITRE)
Base Score 5.4
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact Low
Availability Impact Low
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1271618 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 16.0
  • cyradm >= 3.8.7-bp160.1.1
  • cyrus-imapd >= 3.8.7-bp160.1.1
  • cyrus-imapd-devel >= 3.8.7-bp160.1.1
  • cyrus-imapd-snmp >= 3.8.7-bp160.1.1
  • cyrus-imapd-snmp-mibs >= 3.8.7-bp160.1.1
  • cyrus-imapd-utils >= 3.8.7-bp160.1.1
  • libcyrus0 >= 3.8.7-bp160.1.1
  • perl-Cyrus-Annotator >= 3.8.7-bp160.1.1
  • perl-Cyrus-IMAP >= 3.8.7-bp160.1.1
  • perl-Cyrus-SIEVE-managesieve >= 3.8.7-bp160.1.1
Patchnames:
openSUSE-Leap-16.0-packagehub-428


SUSE Timeline for this CVE

CVE page created: Fri Jul 17 11:36:47 2026
CVE page last modified: Sat Jul 18 11:44:29 2026