Description
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
Published: 2026-06-08
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OfflineIMAP versions before 8.0.3 accept the server's STARTTLS capability before authenticating the user. This trust flaw allows an attacker who can act as a man‑in‑the‑middle or spoof the server to force the client to downgrade the connection, taking over and reading the plaintext login credentials. The impact is loss of confidentiality for stored email account credentials, which could lead to full account compromise and unauthorized access to the user's mail data.

Affected Systems

The product affected is OfflineIMAP, an open source IMAP client. Versions older than 8.0.3, including all releases prior to and including 8.0.2, are vulnerable. The vulnerability appears in all distributions of OfflineIMAP that advertise STARTTLS capability during the initial handshake.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Since the EPSS score is not provided, the current exploit likelihood cannot be quantified precisely, but the flaw enables a straightforward MITM attack against any connection over an untrusted network. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread commercial exploitation is documented yet. Attackers would need network access to intercept traffic between the client and the mail server; once achieved, they can impersonate the server and capture credentials before encryption is established.

Generated by OpenCVE AI on June 8, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OfflineIMAP to 8.0.3 or later, which enforces authentication before STARTTLS negotiation.
  • Configure OfflineIMAP to reject any STARTTLS advertisement prior to authentication if an upgrade is not immediately possible.
  • Apply network segmentation or VPN to limit exposure of the client to untrusted networks and monitor for unexpected TLS negotiation.

Generated by OpenCVE AI on June 8, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Startup TLS Trust Issue Enables Credential Disclosure

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
First Time appeared Offlineimap
Offlineimap offlineimap
Weaknesses CWE-348
CPEs cpe:2.3:a:offlineimap:offlineimap:*:*:*:*:*:*:*:*
Vendors & Products Offlineimap
Offlineimap offlineimap
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Offlineimap Offlineimap
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-08T18:49:00.993Z

Reserved: 2026-06-08T15:05:08.771Z

Link: CVE-2020-37248

cve-icon Vulnrichment

Updated: 2026-06-08T18:08:35.611Z

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:33.257

Modified: 2026-06-08T16:16:33.257

Link: CVE-2020-37248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:30:06Z

Weaknesses