CVE-2026-47242
Received Received - Intake
IMAP Command Injection in Ruby Net::IMAP

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-47242
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Net::IMAP Ruby library, which implements IMAP client functionality. Before versions 0.6.5 and 0.5.15, when the Net::IMAP#id method was called with a hash argument, the ID field values were quoted correctly but not validated to prevent CRLF (Carriage Return Line Feed) sequences. Additionally, the Net::IMAP#enable method processes its arguments but does not validate them as valid atoms, sending the string representation verbatim. These issues allow an attacker to inject arbitrary IMAP commands by crafting malicious arguments.

The vulnerability was fixed in versions 0.6.5 and 0.5.15 by adding proper validation to prevent such injection.

Impact Analysis

An attacker exploiting this vulnerability could inject arbitrary IMAP commands into the communication with the IMAP server. This could lead to unauthorized actions being performed on the mail server, such as accessing, modifying, or deleting emails, or disrupting normal IMAP operations.

Mitigation Strategies

To mitigate this vulnerability, update the Net::IMAP Ruby library to version 0.6.5 or later, or 0.5.15 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart