CVE-2026-42246: net-imap vulnerable to STARTTLS stripping via invalid response timing

Published May 4, 2026
·
Updated

Summary

A man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Details

When using Net::IMAP#starttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows #starttls to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.

This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks Net::IMAP#tlsverified?.

Impact

TLS bypass, leading to cleartext transmission of sensitive information.

Mitigation

Upgrade to a patched version of net-imap that raises an exception whenever #starttls does not establish TLS. Connect to an implicit TLS port, rather than use STARTTLS with a cleartext port. This is strongly recommended anyway: RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access NO STARTTLS: Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context Explicitly verify Net::IMAP#tlsverified? is true, before using the connection after #starttls.

Other sources

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.

MITRE

Affected Software

8 affected componentsFixes available
rubygems/net-imap>=0<=0.3.9
0.3.10
rubygems/net-imap>=0.4.0<=0.4.23
0.4.24
rubygems/net-imap>=0.5.0<=0.5.13
0.5.14
rubygems/net-imap>=0.6.0<=0.6.3
0.6.4
ruby-lang Net\<0.3.10
ruby-lang Net\>=0.4.0<0.4.24
ruby-lang Net\>=0.5.0<0.5.14
ruby-lang Net\>=0.6.0<0.6.4

Remediation

Patch Available

https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618

Patch Available

https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e

Patch Available

https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c

Patch Available

https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da

Event History

May 4, 2026
Advisory Published
via GitHub·10:01 PM
Data Sourced
via GitHub·10:01 PM
DescriptionWeaknessAffected Software
May 9, 2026
CVE Published
via MITRE·07:33 PM
Data Sourced
via MITRE·07:33 PM
DescriptionWeakness
Data Sourced
via NVD·08:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42246?

CVE-2026-42246 is classified as a high severity vulnerability due to its potential for man-in-the-middle attacks.

2

How do I fix CVE-2026-42246?

To mitigate CVE-2026-42246, upgrade `net-imap` to version 0.3.10 or higher, 0.4.24 or higher, 0.5.14 or higher, or 0.6.4 or higher.

3

Which versions are affected by CVE-2026-42246?

CVE-2026-42246 affects `net-imap` versions from 0.3.9 to 0.3.9, 0.4.0 to 0.4.23, 0.5.0 to 0.5.13, and 0.6.0 to 0.6.3.

4

What type of attack does CVE-2026-42246 enable?

CVE-2026-42246 enables a man-in-the-middle attack that allows an attacker to spoof a successful TLS connection.

5

Should I be concerned about CVE-2026-42246 in my applications?

Yes, you should be concerned about CVE-2026-42246 as it can compromise the security of communications using the `Net::IMAP#starttls` method.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203