CVE-2026-47242
Deferred Deferred - Pending Action

IMAP Command Injection in Ruby Net::IMAP

Vulnerability report for CVE-2026-47242, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ruby net_imap to 0.6.5 (inc)
ruby net_imap to 0.5.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Net::IMAP Ruby library, which implements IMAP client functionality. Before versions 0.6.5 and 0.5.15, when the Net::IMAP#id method was called with a hash argument, the ID field values were quoted correctly but not validated to prevent CRLF (Carriage Return Line Feed) sequences. Additionally, the Net::IMAP#enable method processes its arguments but does not validate them as valid atoms, sending the string representation verbatim. These issues allow an attacker to inject arbitrary IMAP commands by crafting malicious arguments.

The vulnerability was fixed in versions 0.6.5 and 0.5.15 by adding proper validation to prevent such injection.

Impact Analysis

An attacker exploiting this vulnerability could inject arbitrary IMAP commands into the communication with the IMAP server. This could lead to unauthorized actions being performed on the mail server, such as accessing, modifying, or deleting emails, or disrupting normal IMAP operations.

Mitigation Strategies

To mitigate this vulnerability, update the Net::IMAP Ruby library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable versions of the Ruby net-imap gem (versions 0.6.0 to 0.6.4 and 0.5.0 to 0.5.14) and monitoring for suspicious IMAP commands that include unvalidated input, especially those using the #id and #enable commands with arguments containing CRLF sequences or invalid atoms.

Since the vulnerability allows injection of arbitrary IMAP commands via unvalidated input, network detection could focus on capturing IMAP traffic and searching for unusual command sequences or CRLF injection patterns within #id or #enable commands.

On the system, you can check the installed version of the net-imap gem with the following command:

  • gem list net-imap

To detect potential exploitation attempts in network traffic, you might use a tool like tcpdump or Wireshark to capture IMAP traffic and then search for suspicious patterns. For example, using tcpdump to capture IMAP traffic on port 143:

  • tcpdump -i any -s 0 -A port 143

Then, inspect the captured traffic for #id or #enable commands containing CRLF sequences or unexpected characters that could indicate injection attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart