CVE-2026-42246
7.4 HIGHNet::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby
Published: 2026-05-09 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 7.4 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-392, CWE-393, CWE-636, CWE-754, CWE-841
Affected products
| Vendor | Product |
|---|---|
| ruby-lang | net\ |
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42246
- [Patch]https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
- [Patch]https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e
- [Patch]https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c
- [Patch]https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da
- [Other]https://github.com/ruby/net-imap/releases/tag/v0.3.10
- [Other]https://github.com/ruby/net-imap/releases/tag/v0.4.24
- [Other]https://github.com/ruby/net-imap/releases/tag/v0.5.14
- [Vendor advisory]https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp
Related CVEs
Same vendor
- CVE-2026-46727 — An issue was discovered in Ruby 4 before 4.0.5 (8.1 HIGH)
- CVE-2026-42258 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (9.8 CRITICAL)
- CVE-2026-42257 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (9.8 CRITICAL)
- CVE-2026-42256 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (6.5 MEDIUM)
- CVE-2026-42245 — Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (7.5 HIGH)
Same CWE
- CVE-2026-46541 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (7.5 HIGH)
- CVE-2026-46540 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (6.5 MEDIUM)
- CVE-2026-43974 — Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the clien...
- CVE-2026-45678 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
- CVE-2026-49325 — Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows... (4.6 MEDIUM)