High severity7.4GHSA Advisory· Published May 9, 2026· Updated May 18, 2026
CVE-2026-42246
CVE-2026-42246
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net-imapRubyGems | >= 0.6.0, < 0.6.4 | 0.6.4 |
net-imapRubyGems | >= 0.5.0, < 0.5.14 | 0.5.14 |
net-imapRubyGems | >= 0.4.0, < 0.4.24 | 0.4.24 |
net-imapRubyGems | < 0.3.10 | 0.3.10 |
Affected products
62- osv-coords61 versionspkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-18.7pkg:apk/chainguard/gitlab-rails-ce-18.8pkg:apk/chainguard/gitlab-rails-ce-18.9pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/logstash-fips-9.3pkg:apk/chainguard/logstash-fips-9.3-iamguarded-compatpkg:apk/chainguard/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-net-imappkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.3-net-imappkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.1pkg:apk/chainguard/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.4-net-imappkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.1pkg:apk/chainguard/ruby4.0-net-imappkg:apk/chainguard/ruby4.0-rails-7.2pkg:apk/chainguard/ruby4.0-rails-8.0pkg:apk/chainguard/ruby4.0-rails-8.1pkg:apk/chainguard/trufflerubypkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-net-imappkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.3-net-imappkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.1pkg:apk/wolfi/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.4-net-imappkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.1pkg:apk/wolfi/ruby4.0-net-imappkg:apk/wolfi/ruby4.0-rails-8.1pkg:gem/net-imap
< 18.1.6-r10+ 60 more
- (no CPE)range: < 18.1.6-r10
- (no CPE)range: < 18.10.5-r1
- (no CPE)range: < 18.11.3-r1
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.7.6-r3
- (no CPE)range: < 18.8.9-r1
- (no CPE)range: < 18.9.7-r2
- (no CPE)range: < 18.10.4-r1
- (no CPE)range: < 18.11.3-r2
- (no CPE)range: < 18.3.6-r7
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.9.6-r1
- (no CPE)range: < 1.18.2-r63
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 34.0.1-r2
- (no CPE)range: < 1.18.2-r63
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: >= 0.6.0, < 0.6.4
Patches
Vulnerability mechanics
References
14- github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618nvdPatchWEB
- github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485envdPatchWEB
- github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42cnvdPatchWEB
- github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873danvdPatchWEB
- github.com/advisories/GHSA-vcgp-9326-pqcpghsaADVISORY
- github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcpnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42246ghsaADVISORY
- github.com/ruby/net-imap/releases/tag/v0.3.10nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.4.24nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.5.14nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.6.4ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.ymlghsaWEB
- nostarttls.secvuln.infoghsaWEB
- www.rfc-editor.org/info/rfc8314ghsaWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026