Skip to main content

MailKit CVE-2026-41319

| EUVDEUVD-2026-25388 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-24 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Patch released
Apr 25, 2026 - 03:16 nvd
Patch available
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 04:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25388
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 03:07 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in SmtpStream, ImapStream, and Pop3Stream is not flushed when the underlying stream is replaced with SslStream during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue.

AnalysisAI

STARTTLS response injection in MailKit prior to version 4.16.0 allows man-in-the-middle attackers to downgrade SASL authentication mechanisms by injecting malicious protocol responses before TLS negotiation completes. The vulnerability stems from failure to flush the internal read buffer when upgrading from plaintext to encrypted connections, enabling attackers to force weaker authentication (e.g., PLAIN instead of SCRAM-SHA-256) on affected SMTP, IMAP, and POP3 connections. User interaction is required (establishing a mail connection through the client), and exploitation requires network position to intercept and modify STARTTLS exchanges. Vendor-released patch version 4.16.0 addresses the issue.

Technical ContextAI

MailKit is a .NET mail client library providing SMTP, IMAP, and POP3 protocol implementations. The vulnerability affects the protocol stream classes (SmtpStream, ImapStream, Pop3Stream) which maintain internal read buffers to parse server responses. During STARTTLS negotiation, these streams replace the underlying network stream with an SslStream to establish TLS encryption. The flaw occurs because data already buffered from the plaintext phase is not discarded before TLS wraps the connection. This violates the trust boundary assumption that post-STARTTLS responses originate from the authenticated server: an attacker positioned on the network can inject SASL capability advertisements or authentication challenge responses into the buffer before STARTTLS completes. When the application consumes buffered data after TLS activation, it treats attacker-controlled content as server-authenticated responses, enabling mechanism downgrade attacks. The root cause is improper state management during protocol upgrade (CWE-74: Improper Neutralization of Special Elements in Output).

RemediationAI

Upgrade MailKit to version 4.16.0 or later immediately. This is the primary and complete fix; the patch flushes the internal read buffer when transitioning from plaintext to TLS, eliminating the response injection window. Organizations unable to upgrade immediately should implement network-level mitigations: enforce HTTPS/TLS proxies for mail traffic, disable STARTTLS and require implicit TLS (port 465/993/995) instead, or restrict mail client usage to authenticated corporate networks with traffic inspection. These workarounds trade convenience (STARTTLS auto-upgrade) for security. The patch carries no known regressions and should be deployed as soon as possible, particularly for production mail systems handling sensitive authentication.

Share

CVE-2026-41319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy