From a46816b4cb7d72dc6cc185a0e1f6e081e44a4d7c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 17 Mar 2026 16:18:03 +0100
Subject: [PATCH] imap: reset the UIDVALIDITY state between transfers

uidvalidity_set and mb_uidvalidity_set flags were never reset, leaving a
risk for stale UIDVALIDITY state across transfers and mailbox switches.

Follow-up to fb6a4802d7a76d8e36652b

Spotted by Codex Security

Closes #20962
---
 lib/imap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/imap.c b/lib/imap.c
index 7bd58c0004..8ac9eb6ec5 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -776,6 +776,7 @@ static CURLcode imap_perform_select(struct Curl_easy *data,
 
   /* Invalidate old information as we are switching mailboxes */
   Curl_safefree(imapc->mailbox);
+  imapc->mb_uidvalidity_set = FALSE;
 
   /* Check we have a mailbox */
   if(!imap->mailbox) {
@@ -1703,6 +1704,7 @@ static void imap_easy_reset(struct IMAP *imap)
   Curl_safefree(imap->query);
   Curl_safefree(imap->custom);
   Curl_safefree(imap->custom_params);
+  imap->uidvalidity_set = FALSE;
   /* Clear the transfer mode for the next request */
   imap->transfer = PPTRANSFER_BODY;
 }