CRLF Injection Vulnerability in MimeKit Library Affects Email Parsing
CVE-2026-30227

6.9MEDIUM

Key Information:

Vendor: Jstedfast
Status: Mimekit
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-30227?

The MimeKit library, utilized for creating and parsing MIME messages, is susceptible to a CRLF injection vulnerability that allows attackers to insert carriage return and line feed sequences into the SMTP envelope address local-part within a quoted-string. This non-compliance with RFC 5321 can lead to SMTP command injection or mail header injection, especially when an attacker can manipulate mailbox address values serialized during an SMTP session. Exploiting this flaw enables the execution of unauthorized SMTP commands such as additional RCPT TO, DATA, or RSET commands. The issue was resolved in version 4.15.1 of MimeKit, emphasizing the importance of updating to safeguard against these security risks.

Affected Version(s)

MimeKit < 4.15.1

References

https://github.com/jstedfast/MimeKit/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-30227 Data

JSON

Jstedfast

What is CVE-2026-30227?

Affected Version(s)

References

CVSS V4

Timeline