CVE-2026-42246

Summary

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.

Affected Software

VendorProductVersion RangeStatus
rubynet-imap< 0.3.10affected
rubynet-imap>= 0.4.0, < 0.4.24affected
rubynet-imap>= 0.5.0, < 0.5.14affected
rubynet-imap>= 0.6.0, < 0.6.4affected

Weaknesses

  • CWE-392: CWE-392: Missing Report of Error Condition
  • CWE-393: CWE-393: Return of Wrong Status Code
  • CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions
  • CWE-636: CWE-636: Not Failing Securely ('Failing Open')
  • CWE-841: CWE-841: Improper Enforcement of Behavioral Workflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS

Additional References

References