CVE-2026-41319

MEDIUM 6.5

MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue.

CWE	CWE-74
Vendor	jstedfast
Product	mailkit
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for jstedfast mailkit

Be the first to know when new medium vulnerabilities affecting jstedfast mailkit are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

jstedfast / MailKit

< 4.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr