IMAP Command Injection Vulnerability in Ruby Net::IMAP Client
CVE-2026-42257

5.8MEDIUM

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42257?

The Net::IMAP component in Ruby has a vulnerability that arises from the improper handling of user-controlled input within several IMAP commands. Specifically, prior versions before 0.4.24, 0.5.14, and 0.6.4 do not adequately validate or escape raw string arguments sent to the server. An attacker can exploit this lack of validation to inject arbitrary IMAP commands via CRLF sequences included in the input. Users are advised to upgrade to the patched versions to mitigate this security risk.

Affected Version(s)

net-imap < 0.4.24 < 0.4.24

net-imap >= 0.5.0, < 0.5.14 < 0.5.0, 0.5.14

net-imap >= 0.6.0, < 0.6.4 < 0.6.0, 0.6.4

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/releases/tag/v0.4.24
x_refsource_MISC
https://github.com/ruby/net-imap/releases/tag/v0.5.14
x_refsource_MISC

CVSS V4

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.