CVE-2026-42246
Modified
Modified - Updated After Analysis
Man-in-the-Middle TLS Bypass in Ruby Net::IMAP
Vulnerability report for CVE-2026-42246, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-09
Last updated on: 2026-07-07
Assigner: GitHub, Inc.
Description
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby-lang | net | From 0.5.0 (inc) to 0.5.14 (exc) |
| ruby-lang | net | From 0.6.0 (inc) to 0.6.4 (exc) |
| ruby-lang | net | From 0.4.0 (inc) to 0.4.24 (exc) |
| ruby-lang | net | to 0.3.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-393 | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result. |
| CWE-325 | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-392 | The product encounters an error but does not provide a status code or return value to indicate that an error has occurred. |
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-841 | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |