CVE-2026-47241
Received Received - Intake
Command Injection in Ruby Net::IMAP

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-47241
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-186 A regular expression is overly restrictive, which prevents dangerous values from being detected.
CWE-162 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.
CWE-182 The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Net::IMAP library, which implements IMAP client functionality in Ruby. Before versions 0.6.5 and 0.5.15, some Net::IMAP commands accept a raw string argument that is only checked to prevent CRLF injection but is otherwise sent exactly as provided.

If this raw string comes from user input, an attacker can manipulate it so that the next IMAP command is treated as a continuation of the first command. This causes the first command to fail eventually but also blocks it from returning a response until another command is sent from a different thread.

The other command will then not return until the connection is closed, effectively causing a denial of service or blocking behavior. This issue was fixed in versions 0.6.5 and 0.5.15 of Net::IMAP.

Impact Analysis

This vulnerability can impact you by causing IMAP commands to hang or block indefinitely, leading to denial of service conditions in applications using vulnerable versions of Net::IMAP.

An attacker who can supply user-controlled input to these commands can exploit this behavior to disrupt normal IMAP client operations, potentially affecting email retrieval or processing.

Mitigation Strategies

To mitigate this vulnerability, update the Net::IMAP library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart