CVE-2026-42246
published 2026-05-09CVE-2026-42246: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a…
PriorityP345high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.31%
22.9th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby3.3 | — | — |
| ruby-lang | net | < 0.3.10 | 0.3.10 |
| ruby-lang | net | >= 0.4.0 < 0.4.24 | 0.4.24 |
| ruby-lang | net | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby-lang | net | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby-lang | ruby | — | — |
| ruby | net-imap | < 0.3.10 | 0.3.10 |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | >= 0 < 0.3.10 | 0.3.10 |
| ruby | net-imap | >= 0.4.0 < 0.4.24 | 0.4.24 |
| ruby | net-imap | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby | net-imap | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby_2.5 | ruby | — | — |
| ruby_3.3 | ruby | — | — |
| ruby_4.0 | ruby | — | — |
| ubuntu | ruby2.3 | — | — |
| ubuntu | ruby2.5 | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.4HIGH
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2026-06-15·CVSS 7.4
CVE-2026-42257 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow unintended access to network services.
It was discovered that Ruby's Net::IMAP library did not properly verify
that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote
attacker could possibly use this issue to perform a machine-in-the-middle attack and silently
bypass TLS encryption. (CVE-2026-42246)
It was also discovered that Ruby's Net::IMAP library did not validate
string arguments passed to certain commands. A remote attacker could possibly use this issue to
inject arbitrary IMAP commands. (CVE-2026-42257)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
vendor_redhat·2026-05-09·CVSS 7.4
CVE-2026-42246 [HIGH] CWE-325 net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
A flaw was found in the Ruby net-imap library. When upgrading a cleartext IMAP connection to TLS using the Net::IMAP#starttls method, the library improperly handles certain responses received during STARTTLS negotiation. A man-in-the-middle (MITM) attacker can inject a predicted tagged OK response before the client completes the STARTTLS command, causing the operation to appear
VulDB
ruby net-imap up to 0.3.9/0.4.23/0.5.13/0.6.3 Net::IMAP error condition (GHSA-vcgp-9326-pqcp)
vuldb·2026-05-18·CVSS 7.6
CVE-2026-42246 [HIGH] ruby net-imap up to 0.3.9/0.4.23/0.5.13/0.6.3 Net::IMAP error condition (GHSA-vcgp-9326-pqcp)
A vulnerability labeled as problematic has been found in ruby net-imap up to 0.3.9/0.4.23/0.5.13/0.6.3. This impacts the function Net::IMAP. Executing a manipulation can lead to missing report of error condition.
This vulnerability is registered as CVE-2026-42246. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
net-imap vulnerable to STARTTLS stripping via invalid response timing
ghsa·2026-05-04
CVE-2026-42246 [HIGH] CWE-392 net-imap vulnerable to STARTTLS stripping via invalid response timing
net-imap vulnerable to STARTTLS stripping via invalid response timing
### Summary
A man-in-the-middle attacker can cause `Net::IMAP#starttls` to return "successfully", without starting TLS.
### Details
When using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows `#starttls` to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.
This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client c
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-42246 ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS [fedora-all]
bugzilla·2026-06-24·CVSS 7.4
CVE-2026-42246 [HIGH] CVE-2026-42246 ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS [fedora-all]
CVE-2026-42246 ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42246 net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
bugzilla·2026-05-09·CVSS 7.4
CVE-2026-42246 [HIGH] CVE-2026-42246 net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
CVE-2026-42246 net-imap: ruby: Net::IMAP: Information disclosure via man-in-the-middle attack bypassing TLS
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485ehttps://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42chttps://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873dahttps://github.com/ruby/net-imap/releases/tag/v0.3.10https://github.com/ruby/net-imap/releases/tag/v0.4.24https://github.com/ruby/net-imap/releases/tag/v0.5.14https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcphttps://access.redhat.com/errata/RHSA-2026:33462https://access.redhat.com/security/cve/CVE-2026-42246https://bugzilla.redhat.com/show_bug.cgi?id=2468499https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42246.json
2026-05-09
Published