Description
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: 1.3% Low
KEV: No
Impact: SMTP Command Injection
Action: Apply Patch
AI Analysis

Impact

MimeKit contains a flaw that enables an attacker to inject CRLF sequences into a quoted local‑part of an email address during serialization to an SMTP session. The injection allows arbitrary SMTP commands, such as RCPT TO, DATA, or RSET, to be added, leading to mail header tampering or the forging of email messages. The issue violates RFC 5321 and is categorized as a CRLF injection (CWE‑93), potentially compromising the integrity and authenticity of outgoing mail.

Affected Systems

The vulnerable component is MimeKit, a C# library maintained by jstedfast. All releases prior to 4.15.1 are susceptible. Applications that use MimeKit to build or parse email messages and then send them via SMTP are affected if they construct a MailboxAddress with a quoted local‑part that is not properly sanitized.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of 1% reflects a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to influence a MailboxAddress that is later serialized to an SMTP session, which is most likely in scenarios where user or untrusted data is used to form email addresses. Although a public exploit is not currently available, the potential for serious email tampering warrants timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MimeKit to version 4.15.1 or later, which contains the CRLF injection fix.
  • Validate all email address components before serialization; reject or escape any CR or LF characters in quoted local‑parts.
  • Audit your application code to ensure MailboxAddress objects are constructed only from trusted data and that no raw strings are inserted into the local‑part.

Generated by OpenCVE AI on April 16, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g7hc-96xr-gvvx MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
History

Thu, 12 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jstedfast:mimekit:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jstedfast
Jstedfast mimekit
Vendors & Products Jstedfast
Jstedfast mimekit

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
Title MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Jstedfast Mimekit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:54:29.184Z

Reserved: 2026-03-04T17:23:59.797Z

Link: CVE-2026-30227

cve-icon Vulnrichment

Updated: 2026-03-09T20:47:36.375Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T21:16:16.607

Modified: 2026-03-12T15:34:59.480

Link: CVE-2026-30227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses