Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.
Published: 2026-06-22
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::IMAP, a Ruby library for IMAP client functionality, accepted ID and enable command arguments without rejecting CRLF sequences before version 0.6.5 and 0.5.15. The affected arguments were quoted correctly but not validated against line breaks, allowing an attacker to insert carriage‑return line‑feed characters that cause the IMAP server to parse an injected command. This vulnerability can enable an attacker to execute arbitrary IMAP commands and, depending on the server configuration, could lead to unauthorized data access, modification, or denial of service. The CVSS score of 5.8 classifies the weakness as moderate severity, and the fix resolves the injection path entirely.

Affected Systems

The defect applies to the ruby:net-imap library in all releases earlier than 0.6.5 and 0.5.15. The affected products are Ruby implementations of the Net::IMAP client; any system using the vulnerable library is exposed until the issue is patched.

Risk and Exploitability

The vulnerability carries a moderate CVSS score of 5.8 and is not listed in CISA’s KEV catalog, and an EPSS score is not available. The attack vector is inferred to be remote: an attacker who can control or supply the ID or enable arguments of a Net::IMAP client that connects to an IMAP server can inject malicious commands. While exploitation requires the client to send a crafted request to a server, the presence of CRLF in the payload is sufficient for the server to interpret and execute the injected commands. No public exploits have been reported, but the nature of the flaw makes it a realistic target in environments where trusted clients may be compromised or embedded in untrusted code.

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ruby:net-imap to 0.6.5 or 0.5.15, the versions that contain the necessary CRLF validation.
  • If an immediate upgrade is not possible, validate or sanitize any string passed to Net::IMAP#id or Net::IMAP#enable by stripping CRLF characters before passing them to the library.
  • Apply network segmentation or firewall rules to restrict which clients can connect to the IMAP server, reducing the opportunity for attackers to target the vulnerable library.

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-46q3-7gv7-qmgg Net::IMAP: Command Injection via ID command argument
History

Tue, 23 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences. While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. This vulnerability is fixed in 0.6.5 and 0.5.15.
Title Net::IMAP: Command Injection via ID command argument
Weaknesses CWE-77
CWE-93
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T12:06:49.157Z

Reserved: 2026-05-18T22:54:18.272Z

Link: CVE-2026-47242

cve-icon Vulnrichment

Updated: 2026-06-23T12:06:45.712Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T22:30:07Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')