CVE-2026-30227: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in jstedfast MimeKit
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
AI Analysis
Technical Summary
MimeKit is a widely used C# library for creating and parsing MIME messages, adhering to IETF standards. Prior to version 4.15.1, MimeKit contained a vulnerability classified as CWE-93 (Improper Neutralization of CRLF Sequences), identified as CVE-2026-30227. This vulnerability arises because MimeKit improperly allows carriage return (CR, ASCII 13) and line feed (LF, ASCII 10) characters to be embedded within the SMTP envelope address local-part when it is formatted as a quoted-string. According to RFC 5321, the SMTP mailbox local-part grammar explicitly forbids CR and LF characters inside quoted strings. SMTP commands are terminated by CRLF sequences, so injecting these characters can manipulate the SMTP session by injecting additional commands such as RCPT TO, DATA, or RSET. This can lead to SMTP command injection or mail header injection depending on how the application uses MimeKit and MailKit to construct and send emails. The vulnerability becomes exploitable when an attacker can influence the MailboxAddress values that are serialized and sent during SMTP sessions. Since the vulnerability does not require authentication or user interaction and can be exploited remotely over the network, it poses a significant risk. The issue was addressed and patched in MimeKit version 4.15.1, which properly sanitizes and prevents CRLF injection in the local-part of SMTP addresses.
Potential Impact
The primary impact of this vulnerability is the potential for SMTP command injection, allowing attackers to manipulate SMTP sessions by injecting additional commands. This can lead to unauthorized email sending, mail relay abuse, or disruption of mail delivery processes. Mail header injection could also enable attackers to alter email headers, potentially facilitating phishing, spoofing, or bypassing spam filters. Organizations relying on MimeKit for email processing or sending, especially those integrating it into mail servers, automated email systems, or security appliances, are at risk of these impacts. Exploitation could undermine the confidentiality and integrity of email communications and disrupt availability by causing SMTP session failures or resets. Although no known exploits are reported in the wild yet, the medium CVSS score and ease of exploitation without authentication make timely remediation critical to prevent potential abuse.
Mitigation Recommendations
Organizations should immediately upgrade MimeKit to version 4.15.1 or later, where the vulnerability is patched. For applications that cannot upgrade immediately, implement strict input validation and sanitization on any user-controllable data used in MailboxAddress fields to ensure CR and LF characters are not present. Employ network-level SMTP filtering and monitoring to detect anomalous SMTP command sequences that may indicate injection attempts. Review and harden email sending workflows to minimize exposure of SMTP envelope fields to untrusted input. Additionally, conduct security testing and code reviews focusing on email construction and SMTP session handling to identify similar injection risks. Maintain up-to-date threat intelligence and monitor for any emerging exploits targeting this vulnerability.
Affected Countries
United States, Germany, United Kingdom, France, Japan, South Korea, Canada, Australia, India, Brazil
CVE-2026-30227: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in jstedfast MimeKit
Description
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
AI-Powered Analysis
Technical Analysis
MimeKit is a widely used C# library for creating and parsing MIME messages, adhering to IETF standards. Prior to version 4.15.1, MimeKit contained a vulnerability classified as CWE-93 (Improper Neutralization of CRLF Sequences), identified as CVE-2026-30227. This vulnerability arises because MimeKit improperly allows carriage return (CR, ASCII 13) and line feed (LF, ASCII 10) characters to be embedded within the SMTP envelope address local-part when it is formatted as a quoted-string. According to RFC 5321, the SMTP mailbox local-part grammar explicitly forbids CR and LF characters inside quoted strings. SMTP commands are terminated by CRLF sequences, so injecting these characters can manipulate the SMTP session by injecting additional commands such as RCPT TO, DATA, or RSET. This can lead to SMTP command injection or mail header injection depending on how the application uses MimeKit and MailKit to construct and send emails. The vulnerability becomes exploitable when an attacker can influence the MailboxAddress values that are serialized and sent during SMTP sessions. Since the vulnerability does not require authentication or user interaction and can be exploited remotely over the network, it poses a significant risk. The issue was addressed and patched in MimeKit version 4.15.1, which properly sanitizes and prevents CRLF injection in the local-part of SMTP addresses.
Potential Impact
The primary impact of this vulnerability is the potential for SMTP command injection, allowing attackers to manipulate SMTP sessions by injecting additional commands. This can lead to unauthorized email sending, mail relay abuse, or disruption of mail delivery processes. Mail header injection could also enable attackers to alter email headers, potentially facilitating phishing, spoofing, or bypassing spam filters. Organizations relying on MimeKit for email processing or sending, especially those integrating it into mail servers, automated email systems, or security appliances, are at risk of these impacts. Exploitation could undermine the confidentiality and integrity of email communications and disrupt availability by causing SMTP session failures or resets. Although no known exploits are reported in the wild yet, the medium CVSS score and ease of exploitation without authentication make timely remediation critical to prevent potential abuse.
Mitigation Recommendations
Organizations should immediately upgrade MimeKit to version 4.15.1 or later, where the vulnerability is patched. For applications that cannot upgrade immediately, implement strict input validation and sanitization on any user-controllable data used in MailboxAddress fields to ensure CR and LF characters are not present. Employ network-level SMTP filtering and monitoring to detect anomalous SMTP command sequences that may indicate injection attempts. Review and harden email sending workflows to minimize exposure of SMTP envelope fields to untrusted input. Additionally, conduct security testing and code reviews focusing on email construction and SMTP session handling to identify similar injection risks. Maintain up-to-date threat intelligence and monitor for any emerging exploits targeting this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-04T17:23:59.797Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ab4414c48b3f10ffd8fc28
Added to database: 3/6/2026, 9:16:04 PM
Last enriched: 3/6/2026, 9:30:48 PM
Last updated: 3/6/2026, 11:59:23 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.