Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Net::IMAP’s STARTTLS implementation, where a man‑in‑the‑middle attacker can induce the library to report a successful TLS upgrade without actually establishing the encryption. This causes the client to send credentials in cleartext over the network, exposing user identities and passwords to the attacker. The weakness stems from improper handling of server responses and timing validation when negotiating STARTTLS, as identified by CWEs 392, 393, 636, 754, and 841.

Affected Systems

Ruby applications that rely on the Net::IMAP gem (ruby:net-imap) and have not applied version updates older than v0.3.10, v0.4.24, v0.5.14, or v0.6.4 are affected. Any system that connects to an IMAP server via STARTTLS using this gem is at risk, regardless of the operating system or hosting environment.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity for an attacker able to position themselves as a MITM, such as on an unsecured Wi‑Fi network or an untrusted corporate proxy. Although the EPSS score is not available, the vulnerability’s nature—requiring only network‑level access to intercept the STARTTLS response—renders it relatively easy to exploit. The issue is not listed in the CISA KEV catalog, but its impact warrants prompt remediation.

Generated by OpenCVE AI on May 9, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the net-imap gem to v0.3.10 or later, or to the latest release 0.6.4+
  • If an immediate upgrade cannot be performed, configure applications to use IMAPS (IMAP over TLS from the outset) on port 993 instead of STARTTLS
  • Implement a runtime check that verifies the TLS session is established before transmitting any credentials; reject connections that do not confirm encryption

Generated by OpenCVE AI on May 9, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vcgp-9326-pqcp net-imap vulnerable to STARTTLS stripping via invalid response timing
History

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Title net-imap vulnerable to STARTTLS stripping via invalid response timing
Weaknesses CWE-392
CWE-393
CWE-636
CWE-754
CWE-841
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:33:17.880Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.163

Modified: 2026-05-09T20:16:28.163

Link: CVE-2026-42246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses