CVE-2026-42246 Overview
CVE-2026-42246 affects the Ruby Net::IMAP library, which implements Internet Message Access Protocol (IMAP) client functionality. A man-in-the-middle (MITM) attacker can manipulate the IMAP server response so that Net::IMAP#starttls returns successfully without actually negotiating TLS. The client then continues the session in cleartext while believing the connection is encrypted. This issue is classified under [CWE-392] (Missing Report of Error Condition) and is a classic STARTTLS stripping flaw. Patched releases are 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Critical Impact
An attacker positioned between the Ruby application and the IMAP server can strip STARTTLS, exposing IMAP credentials and message contents in cleartext.
Affected Products
- Ruby net-imap gem versions prior to 0.3.10
- Ruby net-imap gem versions 0.4.0 through 0.4.23
- Ruby net-imap gem versions 0.5.0 through 0.5.13 and 0.6.0 through 0.6.3
Discovery Timeline
- 2026-05-09 - CVE-2026-42246 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42246
Vulnerability Analysis
The Net::IMAP#starttls method issued a STARTTLS command and then attempted to upgrade the socket to TLS. The original implementation did not verify that the server actually returned a tagged OK response before treating the upgrade as successful. If a network attacker injected an untagged response or otherwise manipulated the reply, the method could return without raising an error and without calling start_tls_session. The client continued issuing IMAP commands, including LOGIN, over the plaintext TCP socket.
Root Cause
The root cause is missing error reporting around the STARTTLS handshake. The method assumed any non-exceptional return from send_command implied successful TLS negotiation. There was no explicit handled state tracking confirming that the server delivered a tagged OK response and that start_tls_session actually executed. This is the condition described by [CWE-392].
Attack Vector
An attacker with a network position between the Ruby application and the IMAP server intercepts traffic on the IMAP port. The attacker forwards the client's STARTTLS request but responds with a crafted reply that does not contain a tagged OK, or forces an error path that fails to raise. The client treats the TLS upgrade as complete and proceeds to send credentials and mailbox commands in plaintext, which the attacker captures.
# Patch from ruby/net-imap commit 0ede4c40b1523dfeaf95777b2678e54cc0fd9618
# Adds explicit `handled` tracking to verify the server returned a tagged OK
# before considering STARTTLS successful.
def starttls(**options)
@ssl_ctx_params, @ssl_ctx = build_ssl_ctx(options)
handled = false
error = nil
ok = send_command("STARTTLS") do |resp|
if resp.kind_of?(TaggedResponse) && resp.name == "OK"
handled = true
clear_cached_capabilities
clear_responses
start_tls_session
end
end
end
# Source: https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
Detection Methods for CVE-2026-42246
Indicators of Compromise
- IMAP sessions originating from Ruby applications that contain LOGIN commands or message data transmitted over plaintext TCP on port 143 after a STARTTLS exchange.
- Network captures where the IMAP server response to STARTTLS is missing a tagged OK line but the client continues issuing commands.
- Outbound IMAP connections from application servers to unexpected hosts or proxies on port 143.
Detection Strategies
- Inventory Ruby application dependencies and flag any net-imap gem version below 0.3.10, 0.4.24, 0.5.14, or 0.6.4.
- Inspect IMAP traffic at egress points to confirm that sessions transition to TLS immediately after STARTTLS and do not continue in cleartext.
- Run software composition analysis against Gemfile.lock artifacts in CI to detect vulnerable net-imap versions before deployment.
Monitoring Recommendations
- Alert on plaintext IMAP authentication attempts observed on the network, particularly from server workloads.
- Monitor for new or unauthorized hosts proxying IMAP traffic between application servers and mail providers.
- Log Ruby application gem versions during deployment and feed inventory data into vulnerability management workflows.
How to Mitigate CVE-2026-42246
Immediate Actions Required
- Upgrade the net-imap gem to 0.3.10, 0.4.24, 0.5.14, or 0.6.4 depending on the major version line in use.
- Rebuild and redeploy any Ruby applications, including Rails services, that bundle a vulnerable net-imap gem.
- Rotate any IMAP credentials used by Ruby applications that connected over networks where MITM interception was possible.
Patch Information
Fixes are available in the GitHub Security Advisory GHSA-vcgp-9326-pqcp. The patched releases are v0.3.10, v0.4.24, and v0.5.14, plus 0.6.4. The core fix is implemented in commit 0ede4c40, with backports in commit 24a4e770 and commit 97e2488f.
Workarounds
- Connect to IMAP servers using implicit TLS on port 993 (Net::IMAP.new(host, ssl: true)) instead of relying on STARTTLS upgrade on port 143.
- Restrict outbound IMAP traffic from application servers to known mail server endpoints to reduce MITM exposure.
- Pin net-imap to a patched version in Gemfile and run bundle update net-imap followed by verification with bundle list.
# Update the net-imap gem to a patched release
bundle update net-imap
# Verify the installed version is patched
bundle list | grep net-imap
# Expected output: net-imap (0.3.10) or 0.4.24 or 0.5.14 or 0.6.4 or higher
# Prefer implicit TLS on port 993 in Ruby code
# imap = Net::IMAP.new('imap.example.com', port: 993, ssl: true)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
