Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47242

CVE-2026-47242: Ruby Net::IMAP RCE Vulnerability

CVE-2026-47242 is a remote code execution vulnerability in Ruby Net::IMAP that allows attackers to inject arbitrary IMAP commands. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-47242 Overview

CVE-2026-47242 is a command injection vulnerability in the Net::IMAP library, which implements Internet Message Access Protocol (IMAP) client functionality in Ruby. The flaw affects versions prior to 0.6.5 and 0.5.15. Two code paths fail to validate input properly. Net::IMAP#id quotes ID field values but does not reject carriage return/line feed (CRLF) sequences. Net::IMAP#enable processes argument aliases but never validates them as IMAP atoms. Attackers can inject arbitrary IMAP commands by passing crafted arguments to either method. The issue is tracked as [CWE-77] Command Injection.

Critical Impact

An attacker who controls input passed to Net::IMAP#id or Net::IMAP#enable can inject arbitrary IMAP protocol commands into an authenticated session, compromising mailbox integrity.

Affected Products

  • Ruby net-imap gem versions prior to 0.6.5
  • Ruby net-imap gem versions prior to 0.5.15
  • Ruby applications using Net::IMAP#id or Net::IMAP#enable with attacker-influenced arguments

Discovery Timeline

  • 2026-06-22 - CVE-2026-47242 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-47242

Vulnerability Analysis

The Net::IMAP library exposes two methods that accept structured arguments and serialize them into IMAP wire-protocol commands. The #id method accepts a hash and quotes each value as an IMAP string. However, the quoting routine escapes only quoted-specials and does not strip CRLF (\r\n) sequences. IMAP uses CRLF as a command terminator, so an attacker-controlled string containing CRLF terminates the legitimate command and begins a new one.

The #enable method accepts capability names and resolves aliases. The resolved values are concatenated into the outbound command using each argument's #to_s representation. The library does not verify that arguments conform to the IMAP atom grammar defined in RFC 3501.

Both code paths allow an attacker who supplies hash values or capability arguments to break out of the intended command and execute additional IMAP verbs in the authenticated context.

Root Cause

The root cause is missing input validation [CWE-77]. The #id serializer enforces only a partial subset of IMAP string escaping rules and omits CRLF rejection. The #enable serializer applies no grammar validation at all and trusts the #to_s output of its arguments.

Attack Vector

Exploitation requires a Ruby application that forwards user-controlled or partially-controlled data into Net::IMAP#id or Net::IMAP#enable. The attacker submits a value containing CRLF sequences followed by arbitrary IMAP commands. Once the underlying socket transmits the crafted payload, the IMAP server executes the injected commands within the authenticated session. Possible consequences include reading, modifying, or deleting messages, altering ACLs, or issuing administrative commands depending on server capabilities.

No verified exploit code is publicly available. Refer to the GitHub Security Advisory GHSA-46q3-7gv7-qmgg for additional technical detail.

Detection Methods for CVE-2026-47242

Indicators of Compromise

  • IMAP client traffic containing CRLF sequences inside ID command parameter values, observable in TLS-decrypted network captures or server-side IMAP logs.
  • Unexpected IMAP verbs issued immediately after an ID or ENABLE command from a single client session.
  • Application logs showing hash values passed to Net::IMAP#id that include \r or \n byte sequences.

Detection Strategies

  • Audit Ruby codebases for calls to Net::IMAP#id and Net::IMAP#enable where arguments derive from external input.
  • Inspect IMAP server logs for malformed ID responses or sequential commands from the same tag within a single round trip.
  • Enable verbose IMAP protocol logging on staging servers to surface injected verb sequences during testing.

Monitoring Recommendations

  • Alert on IMAP sessions where the number of commands issued exceeds the expected baseline for a single authenticated connection.
  • Monitor outbound IMAP traffic from application servers for non-printable bytes (0x0D, 0x0A) inside quoted string parameters.
  • Track installed net-imap gem versions across application inventories and flag hosts running versions earlier than 0.6.5 or 0.5.15.

How to Mitigate CVE-2026-47242

Immediate Actions Required

  • Upgrade the net-imap gem to version 0.6.5 (6.x branch) or 0.5.15 (5.x branch) across all Ruby applications.
  • Audit application code for any path that forwards untrusted input into Net::IMAP#id or Net::IMAP#enable.
  • Rotate IMAP credentials used by applications that may have processed attacker-influenced arguments before patching.

Patch Information

The Ruby net-imap maintainers released fixed versions 0.6.5 and 0.5.15. The patches add CRLF validation to the #id argument serializer and enforce atom grammar checks on #enable arguments. Patch details are published in the GitHub Security Advisory GHSA-46q3-7gv7-qmgg.

Workarounds

  • Reject or strip \r and \n bytes from any string before passing it to Net::IMAP#id hash values.
  • Validate Net::IMAP#enable arguments against the IMAP atom grammar (ATOM-CHAR excluding atom-specials) before invocation.
  • Avoid exposing Net::IMAP#id and Net::IMAP#enable to data paths that include unsanitized user input until the gem is upgraded.
bash
# Upgrade net-imap to a fixed release
bundle update net-imap

# Verify installed version is 0.6.5 or 0.5.15 or later
gem list net-imap

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.