{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41319", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-24T03:07:24.335Z", "dateUpdated": "2026-04-25T01:46:35.002Z"}, "containers": {"cna": {"title": "MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr"}], "affected": [{"vendor": "jstedfast", "product": "MailKit", "versions": [{"version": "< 4.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T03:07:24.335Z"}, "descriptions": [{"lang": "en", "value": "MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue."}], "source": {"advisory": "GHSA-9j88-vvj5-vhgr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:46:14.462850Z", "id": "CVE-2026-41319", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:46:35.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41319", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:46:14.462850Z"}}}], "references": [{"url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:46:30.490Z"}}], "cna": {"title": "MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade", "source": {"advisory": "GHSA-9j88-vvj5-vhgr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jstedfast", "product": "MailKit", "versions": [{"status": "affected", "version": "< 4.16.0"}]}], "references": [{"url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr", "name": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T03:07:24.335Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41319", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:46:35.002Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T03:07:24.335Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue."}], "id": "CVE-2026-41319", "lastModified": "2026-04-25T03:16:04.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T04:16:20.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.16.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "mailkit", "vendor": "jstedfast"}], "analysis": {"en": {"generated_at": "2026-04-28T14:25:43.979356+00:00", "value": {"mitigation_remediation": ["Update MailKit to version\u202f4.16.0 or later", "Configure the mail client to enforce strict TLS and reject any unauthenticated or downgraded authentication responses", "Disable weak SASL mechanisms such as PLAIN over TLS on the mail server to prevent downgrade attacks"], "summary": {"action": "Assess Impact", "impact": "Authentication mechanism downgrade via injected STARTTLS responses"}, "threat_synthesis": {"affected_systems": "The affected product is jstedfast MailKit. All releases before 4.16.0 are vulnerable; the issue is fixed in MailKit\u00a04.16.0 and later. Any application that references an older MailKit library is at risk, regardless of the underlying mail protocol (SMTP, IMAP, POP3).", "description_and_impact": "MailKit versions prior to 4.16.0 contain a STARTTLS Response Injection flaw in the stream handling code. An attacker who can perform a man\u2011in\u2011the\u2011middle (MITM) on the email session can inject arbitrary protocol responses before the TLS upgrade. Those injected responses are processed after the stream is wrapped in SSL, allowing the attacker to force the client to authenticate with weaker SASL mechanisms such as PLAIN instead of stronger SCRAM series. This can lead to credential theft or unauthorized access if weak authentication is used.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity in the context of authentication downgrade. The EPSS score of less than 1% shows that current exploitation activity appears very low. MailKit is not listed in the CISA KEV catalog. The likely attack vector requires a MITM that can intercept the plaintext phase of the connection; the attacker does not need any special privileges on the client machine. Although exploitation probability is low, the impact of successfully downgrading to a weak SASL mechanism is significant for systems relying on strong authentication."}}}}, "created": "2026-04-28T09:25:22.614995+00:00", "updated": "2026-04-28T14:30:33.764840+00:00", "vendors": ["jstedfast", "jstedfast$PRODUCT$mailkit"]}