IMAP Authentication Vulnerability in Mutt Email Client Software
CVE-2026-43860

3.7LOW

Key Information:

Vendor: Mutt
Status: Mutt
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-43860?

The Mutt email client, prior to version 2.3.2, exhibits a flaw in its handling of IMAP authentication using the CRAM MD5 method. Specifically, the application truncates the hash_passwd by a single byte, potentially leading to authentication failures or security risks. This behavior can undermine the security of user credentials, making it essential for users to upgrade to the latest version to mitigate potential risks associated with this vulnerability.

Affected Version(s)

mutt 0 < 2.3.2

References

https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43860 Data

JSON