diff --git a/cyrus-imapd-CVE-2021-32056.patch b/cyrus-imapd-CVE-2021-32056.patch
new file mode 100644
index 0000000..e4f0c1c
--- /dev/null
+++ b/cyrus-imapd-CVE-2021-32056.patch
@@ -0,0 +1,53 @@
+From 621f9e41465b521399f691c241181300fab55995 Mon Sep 17 00:00:00 2001
+From: Bron Gondwana <brong@fastmail.fm>
+Date: Sun, 18 Apr 2021 22:45:53 +1000
+Subject: [PATCH] annotate: don't allow everyone to write shared server entries
+
+---
+ imap/annotate.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/imap/annotate.c b/imap/annotate.c
+index dc59a3b500..a5462d6e5f 100644
+--- a/imap/annotate.c
++++ b/imap/annotate.c
+@@ -2788,15 +2788,20 @@ static int write_entry(struct mailbox *mailbox,
+ 
+     keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
+ 
+-    if (mailbox) {
+-        struct annotate_metadata oldmdata;
+-        r = read_old_value(d, key, keylen, &oldval, &oldmdata);
+-        if (r) goto out;
++    struct annotate_metadata oldmdata;
++    r = read_old_value(d, key, keylen, &oldval, &oldmdata);
++    if (r) goto out;
+ 
+-        /* if the value is identical, don't touch the mailbox */
+-        if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
+-            goto out;
++    /* if the value is identical, don't touch the mailbox */
++    if (oldval.len == value->len && (!value->len || !memcmp(oldval.s, value->s, value->len)))
++        goto out;
++
++    if (!maywrite) {
++        r = IMAP_PERMISSION_DENIED;
++        if (r) goto out;
++    }
+ 
++    if (mailbox) {
+         if (!ignorequota) {
+             quota_t qdiffs[QUOTA_NUMRESOURCES] = QUOTA_DIFFS_DONTCARE_INITIALIZER;
+             qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
+@@ -2804,11 +2809,6 @@ static int write_entry(struct mailbox *mailbox,
+             if (r) goto out;
+         }
+ 
+-        if (!maywrite) {
+-            r = IMAP_PERMISSION_DENIED;
+-            if (r) goto out;
+-        }
+-
+         /* do the annot-changed here before altering the DB */
+         mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value, silent);
+ 
diff --git a/cyrus-imapd.spec b/cyrus-imapd.spec
index e7c916c..c6fc1d3 100644
--- a/cyrus-imapd.spec
+++ b/cyrus-imapd.spec
@@ -14,7 +14,7 @@
 
 Name: cyrus-imapd
 Version: 3.2.6
-Release: 10%{?dist}
+Release: 11%{?dist}
 
 %define ssl_pem_file_prefix /etc/pki/%name/%name
 
@@ -54,6 +54,7 @@ Patch2: patch-cyrus-rename-quota
 # https://github.com/cyrusimap/cyrus-imapd/issues/2629#issuecomment-456925909
 Patch4: patch-cyrus-perl-linking
 
+Patch100: cyrus-imapd-CVE-2021-32056.patch
 
 Source10: cyrus-imapd.logrotate
 Source11: cyrus-imapd.pam-config
@@ -658,6 +659,9 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 
 %changelog
+* Mon Jul 12 2021 Pavel Zhukov <pzhukov@redhat.com> - 3.2.6-10
+- Fix for CVE-2021-32056
+
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com>
 - Rebuilt for RHEL 9 BETA for openssl 3.0
   Related: rhbz#1971065