IMAP Client Vulnerability in Ruby's Net::IMAP Affects Multiple Versions
CVE-2026-42246

7.6HIGH

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42246?

A vulnerability in Ruby's Net::IMAP allows a man-in-the-middle attacker to exploit the TLS initiation process, causing Net::IMAP#starttls to incorrectly return 'successfully' without actually establishing a secure TLS connection. This presents a significant risk as attackers can intercept and manipulate communications. Patches are available in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4 to mitigate this issue.

Affected Version(s)

net-imap < 0.3.10 < 0.3.10

net-imap >= 0.4.0, < 0.4.24 < 0.4.0, 0.4.24

net-imap >= 0.5.0, < 0.5.14 < 0.5.0, 0.5.14

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/commit/0ede4c40b1523dfea...
x_refsource_MISC
https://github.com/ruby/net-imap/commit/24a4e770b43230286...
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.