CVE-2026-30227: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in jstedfast MimeKit
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
AI Analysis
Technical Summary
MimeKit is a widely used C# library for creating and parsing MIME messages according to IETF standards. Prior to version 4.15.1, MimeKit contained a CRLF injection vulnerability (CWE-93) identified as CVE-2026-30227. The vulnerability arises because MimeKit improperly neutralizes CRLF sequences in the SMTP envelope address local-part when it is formatted as a quoted-string. According to RFC 5321, the local-part of an SMTP mailbox must not contain carriage return (CR, ASCII 13) or line feed (LF, ASCII 10) characters, as SMTP commands are delimited by CRLF sequences. By injecting these characters, an attacker can manipulate the SMTP session by injecting additional SMTP commands such as RCPT TO, DATA, or RSET. This can lead to unauthorized mail delivery commands or mail header injection, potentially allowing spoofing or disruption of mail flow. Exploitation requires the attacker to influence the MailboxAddress value that MimeKit serializes during SMTP communication. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue was addressed and fixed in MimeKit version 4.15.1 by properly sanitizing and rejecting CRLF sequences in the local-part of mailbox addresses. No known exploits are reported in the wild as of now.
Potential Impact
The vulnerability can allow attackers to inject arbitrary SMTP commands into the mail transmission process, potentially enabling unauthorized mail delivery, mail spoofing, or disruption of mail services. This can undermine the integrity and reliability of email communications for organizations using vulnerable MimeKit versions. Attackers could manipulate recipient addresses or mail content, leading to phishing, spam propagation, or denial of service by resetting SMTP sessions. Since MimeKit is used in various mail-related applications and services, the impact can extend to any organization relying on these for email processing, including enterprises, service providers, and software vendors. The medium severity rating reflects the significant but not critical risk, given the lack of authentication requirements and the potential for remote exploitation. However, the scope depends on the extent to which vulnerable versions are deployed in production environments.
Mitigation Recommendations
Organizations should immediately upgrade MimeKit to version 4.15.1 or later, where the vulnerability is patched. Developers using MimeKit should audit their code to ensure that any user-controllable input used in MailboxAddress fields is properly validated and sanitized to prevent injection of CRLF characters. Implement strict input validation on email address fields, rejecting any input containing control characters or non-compliant syntax per RFC 5321. Employ application-layer filters or SMTP proxies that can detect and block anomalous SMTP command sequences indicative of injection attempts. Conduct thorough testing of email handling workflows to verify that injected commands cannot be executed. Monitor email logs for unusual SMTP commands or session resets that may indicate exploitation attempts. Finally, maintain awareness of MimeKit updates and security advisories to promptly address future vulnerabilities.
Affected Countries
United States, Germany, United Kingdom, France, Japan, South Korea, Canada, Australia, Netherlands, India
CVE-2026-30227: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in jstedfast MimeKit
Description
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MimeKit is a widely used C# library for creating and parsing MIME messages according to IETF standards. Prior to version 4.15.1, MimeKit contained a CRLF injection vulnerability (CWE-93) identified as CVE-2026-30227. The vulnerability arises because MimeKit improperly neutralizes CRLF sequences in the SMTP envelope address local-part when it is formatted as a quoted-string. According to RFC 5321, the local-part of an SMTP mailbox must not contain carriage return (CR, ASCII 13) or line feed (LF, ASCII 10) characters, as SMTP commands are delimited by CRLF sequences. By injecting these characters, an attacker can manipulate the SMTP session by injecting additional SMTP commands such as RCPT TO, DATA, or RSET. This can lead to unauthorized mail delivery commands or mail header injection, potentially allowing spoofing or disruption of mail flow. Exploitation requires the attacker to influence the MailboxAddress value that MimeKit serializes during SMTP communication. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue was addressed and fixed in MimeKit version 4.15.1 by properly sanitizing and rejecting CRLF sequences in the local-part of mailbox addresses. No known exploits are reported in the wild as of now.
Potential Impact
The vulnerability can allow attackers to inject arbitrary SMTP commands into the mail transmission process, potentially enabling unauthorized mail delivery, mail spoofing, or disruption of mail services. This can undermine the integrity and reliability of email communications for organizations using vulnerable MimeKit versions. Attackers could manipulate recipient addresses or mail content, leading to phishing, spam propagation, or denial of service by resetting SMTP sessions. Since MimeKit is used in various mail-related applications and services, the impact can extend to any organization relying on these for email processing, including enterprises, service providers, and software vendors. The medium severity rating reflects the significant but not critical risk, given the lack of authentication requirements and the potential for remote exploitation. However, the scope depends on the extent to which vulnerable versions are deployed in production environments.
Mitigation Recommendations
Organizations should immediately upgrade MimeKit to version 4.15.1 or later, where the vulnerability is patched. Developers using MimeKit should audit their code to ensure that any user-controllable input used in MailboxAddress fields is properly validated and sanitized to prevent injection of CRLF characters. Implement strict input validation on email address fields, rejecting any input containing control characters or non-compliant syntax per RFC 5321. Employ application-layer filters or SMTP proxies that can detect and block anomalous SMTP command sequences indicative of injection attempts. Conduct thorough testing of email handling workflows to verify that injected commands cannot be executed. Monitor email logs for unusual SMTP commands or session resets that may indicate exploitation attempts. Finally, maintain awareness of MimeKit updates and security advisories to promptly address future vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-04T17:23:59.797Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ab4414c48b3f10ffd8fc28
Added to database: 3/6/2026, 9:16:04 PM
Last enriched: 3/14/2026, 7:42:37 PM
Last updated: 4/21/2026, 5:57:28 AM
Views: 248
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.