Skip to main content

Ruby net-imap CVE-2026-47242

| EUVDEUVD-2026-38353 MEDIUM
Command Injection (CWE-77)
2026-06-09 https://github.com/ruby/net-imap GHSA-46q3-7gv7-qmgg
5.8
CVSS 4.0 · Vendor: https://github.com/ruby/net-imap
Share

Severity by source

Vendor (https://github.com/ruby/net-imap) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.8 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from Vendor (https://github.com/ruby/net-imap).

CVSS VectorVendor: https://github.com/ruby/net-imap

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
5.8 (MEDIUM)
Source Code Evidence Fetched
Jun 09, 2026 - 20:56 vuln.today
Analysis Generated
Jun 09, 2026 - 20:56 vuln.today

DescriptionCVE.org

Summary

Two Net::IMAP commands, #id and #enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands.

Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon.

Details

When Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences.

While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim.

Impact

This is expected to impact very few users: use of untrusted user input for either command is expected to be very uncommon.

The documentation for #enable explicitly warns that using any arguments that are not in the explicitly supported list may result in undocumented behavior. Using arbitrary untrusted user input for #enable will always be inappropriate.

Although client ID field values will most commonly be static and hardcoded, dynamic input sources may be used. For example, client ID fields may be set by configuration or version numbers. Using untrusted user inputs for client ID fields is expected to be uncommon. But any untrusted inputs to client ID can trivially exploit this vulnerability.

Untrusted inputs to either command may include a CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

Mitigation

Update to a version of net-imap which validates #id and #enable arguments.

Untrusted inputs should _never_ be used for #enable arguments.

If net-imap cannot be upgraded:

  • do not use untrusted inputs for client ID field values
  • or add validation that client ID field values must not contain any CR or LF bytes.

AnalysisAI

Command injection in Ruby's net-imap gem allows arbitrary IMAP protocol command injection via the Net::IMAP#id and Net::IMAP#enable methods when untrusted input is passed as arguments. The #id method fails to prohibit CRLF sequences in ID field value strings (despite correctly quoting other specials), while #enable passes argument .to_s values verbatim without validating them as legal IMAP atoms. An attacker who can influence these inputs can terminate the current IMAP command and append arbitrary subsequent IMAP commands such as DELETE mailbox. Rated 'moderate' by the maintainer; no public exploit identified at time of analysis and no CISA KEV listing.

Technical ContextAI

Net::IMAP is Ruby's standard library client for the Internet Message Access Protocol (RFC 3501), shipped as a standalone RubyGems package (pkg:rubygems/net-imap). The #id method implements the IMAP ID extension (RFC 2971), exchanging client/server identification metadata. The #enable method implements RFC 5161, activating optional IMAP capabilities. Both commands construct raw IMAP protocol strings sent over a TCP/TLS socket. The root cause (CWE-77 - Command Injection) is insufficient input neutralization: #id escapes quoted-string specials but omits CRLF validation, and #enable serializes arguments via .to_s without verifying they conform to the IMAP 'atom' token grammar. Because IMAP uses CRLF as a command terminator, an unvalidated CRLF sequence in either command's wire output allows a second, attacker-controlled command to be injected into the protocol stream.

RemediationAI

The primary fix is to upgrade net-imap to version 0.6.4.1 (for applications on the 0.6.x branch) or version 0.5.15 (for applications on the 0.5.x branch), as confirmed by the vendor advisory GHSA-46q3-7gv7-qmgg and the release at https://github.com/ruby/net-imap/releases/tag/v0.6.4.1. The fixes add validation that ID field values contain only permitted bytes (PRs #698 and #699) and that #enable arguments conform to the IMAP atom grammar. If upgrading is not immediately possible, the maintainer recommends two compensating controls: first, eliminate any use of untrusted user input as arguments to Net::IMAP#enable entirely - the documentation already designates this a misuse; second, for Net::IMAP#id, add application-level input validation that rejects any ID field value containing CR (0x0D) or LF (0x0A) bytes before passing them to the library. The trade-off of the second control is that it must be applied consistently at every call site; missing a single call site leaves the injection path open.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-47242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy