CVE-2026-42246 | THREATINT

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

HIGH: 7.6CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-392: Missing Report of Error Condition

CWE-393: Return of Wrong Status Code

CWE-754: Improper Check for Unusual or Exceptional Conditions

CWE-636: Not Failing Securely ('Failing Open')

CWE-841: Improper Enforcement of Behavioral Workflow

Product status

< 0.3.10

affected

>= 0.4.0, < 0.4.24

affected

>= 0.5.0, < 0.5.14

affected

>= 0.6.0, < 0.6.4

affected

References

github.com/...t-imap/security/advisories/GHSA-vcgp-9326-pqcp

github.com/...ommit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618

github.com/...ommit/24a4e770b43230286a05aa2a9746cdbb3eb8485e

github.com/...ommit/97e2488fb5401a1783bddd959dde007d9fbce42c

github.com/...ommit/f79d35bf5833f186e81044c57c843eda30c873da

github.com/ruby/net-imap/releases/tag/v0.3.10

github.com/ruby/net-imap/releases/tag/v0.4.24

github.com/ruby/net-imap/releases/tag/v0.5.14

cve.org (CVE-2026-42246)

nvd.nist.gov (CVE-2026-42246)

Download JSON

help @ threatint.eu