CRLF Injection Vulnerability in Ruby's Net::IMAP Client
CVE-2026-42258

5.8MEDIUM

Key Information:

Vendor: Ruby
Status: Net-imap
Vendor: CVE Published:; 9 May 2026

🔔 Create Ruby Vulnerability Alert

What is CVE-2026-42258?

The vulnerability in Ruby's Net::IMAP client introduces a potential CRLF Injection or IMAP Command injection attack via symbol arguments passed to IMAP commands. This flaw can allow attackers to manipulate IMAP commands, potentially leading to unauthorized access or actions performed on behalf of legitimate users. Users are urged to upgrade to versions 0.4.24, 0.5.14, or 0.6.4, where the issue has been addressed.

Affected Version(s)

net-imap < 0.4.24 < 0.4.24

net-imap >= 0.5.0, < 0.5.14 < 0.5.0, 0.5.14

net-imap >= 0.6.0, < 0.6.4 < 0.6.0, 0.6.4

References

https://github.com/ruby/net-imap/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/ruby/net-imap/releases/tag/v0.4.24

x_refsource_MISC

https://github.com/ruby/net-imap/releases/tag/v0.5.14

x_refsource_MISC

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42258 Data

.