CVE-2026-47240
Received Received - Intake
CRLF Command Injection in Ruby Net::IMAP

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. A server without support for non-synchronizing literals may interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed. This affects criteria for #search and #uid_search; search_keys for #sort, #thread, #uid_sort, and #uid_thread; and attr for #fetch and #uid_fetch. This vulnerability is fixed in 0.6.5 and 0.5.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-47240
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Net::IMAP Ruby library, which implements IMAP client functionality. Prior to versions 0.6.5 and 0.5.15, certain Net::IMAP commands accept a "raw data" argument that is sent after validation intended to prevent command injection. However, if the IMAP server does not support non-synchronizing literals, it may interpret the data incorrectly, allowing an attacker to inject arbitrary IMAP commands. This happens because the server may treat the end of a malformed command line as the end of a command and then interpret the literal contents as new commands, enabling a CRLF (Carriage Return Line Feed) command injection attack.

The affected commands include #search, #uid_search, #sort, #thread, #uid_sort, #uid_thread, #fetch, and #uid_fetch. The vulnerability was fixed in versions 0.6.5 and 0.5.15 of Net::IMAP.

Impact Analysis

This vulnerability can allow an attacker to perform command injection attacks against an IMAP server when using vulnerable versions of the Net::IMAP client library. By injecting arbitrary IMAP commands, an attacker could potentially manipulate or disrupt email operations, access unauthorized data, or cause denial of service conditions depending on the server's response to injected commands.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Net::IMAP library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart