CVE-2026-30227
Received Received - Intake
CRLF Injection in MimeKit SMTP Envelope Enables Command Injection

Publication date: 2026-03-06

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-12
Generated
2026-06-17
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30227
EUVD
EUVD-2026-10075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jstedfast mimekit to 4.15.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30227 is a CRLF injection vulnerability in MimeKit versions prior to 4.15.1. MimeKit is a C# library used for creating and parsing MIME messages. The vulnerability occurs because MimeKit improperly allows carriage return (CR) and line feed (LF) characters inside the quoted local-part of an SMTP envelope address (MAIL FROM or RCPT TO), which violates RFC 5321.

RFC 5321 forbids CR and LF characters within the quoted-string of the local-part because SMTP commands are terminated by CRLF sequences. Injecting CRLF into these command arguments can allow an attacker to inject additional SMTP commands such as RCPT TO, DATA, or RSET.

This vulnerability becomes exploitable when an attacker can influence the mailbox address used in the SMTP session, allowing them to inject arbitrary SMTP commands and potentially manipulate the SMTP transaction.

Impact Analysis

This vulnerability can lead to SMTP command injection, allowing an attacker to add or modify SMTP recipients, manipulate SMTP transactions, or inject early DATA commands.

Potential impacts include email forgery, mail redirection, data exfiltration, corruption of SMTP transaction state, and possible mail header injection depending on how the application uses MimeKit/MailKit.

Additionally, attackers may evade or mislead logging and auditing by altering SMTP transcripts, which can complicate incident detection and response.

The vulnerability affects any application using MimeKit/MailKit to send emails over SMTP where mailbox addresses can be influenced by untrusted input, such as user-supplied addresses or tenant-configurable identities.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring SMTP sessions for injected CRLF sequences within the local-part of envelope addresses (MAIL FROM or RCPT TO) that violate RFC 5321. Specifically, look for SMTP envelope addresses containing carriage return (CR, ASCII 13) and line feed (LF, ASCII 10) characters embedded inside quoted local-parts.'}, {'type': 'paragraph', 'content': 'One approach is to capture SMTP traffic using network packet capture tools or SMTP protocol logging features and search for suspicious mailbox addresses that include \\r\\n sequences within quoted strings.'}, {'type': 'paragraph', 'content': 'Example commands to detect such injection attempts include:'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture SMTP traffic and filter for suspicious patterns:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> -A port 25 | grep -P \'".*\\r\\n.*"\''}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y \'smtp.req.parameter contains "\\r\\n"\' -T fields -e smtp.req.parameter'}, {'type': 'list_item', 'content': "Using application-level SMTP protocol logging (e.g., MailKit's ProtocolLogger) to capture SMTP sessions and inspect for injected commands or unexpected CRLF sequences in envelope addresses."}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade MimeKit and MailKit to version 4.15.1 or later, where this CRLF injection vulnerability has been patched.

Additionally, ensure that any application using MimeKit/MailKit properly validates and sanitizes mailbox addresses, rejecting any that contain carriage return (CR) or line feed (LF) characters in the local-part, especially within quoted strings, to comply with RFC 5321.

If upgrading immediately is not possible, consider implementing input validation or filtering on user-supplied email addresses to block CR and LF characters before they reach the SMTP sending component.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30227. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart