{"id":"CVE-2026-41319","summary":"MailKit has STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade","details":"MailKit is a cross-platform mail client library built on top of MimeKit. A STARTTLS Response Injection vulnerability in versions prior to 4.16.0 allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal read buffer in `SmtpStream`, `ImapStream`, and `Pop3Stream` is not flushed when the underlying stream is replaced with `SslStream` during STARTTLS upgrade, causing pre-TLS attacker-injected data to be processed as trusted post-TLS responses. Version 4.16.0 patches the issue.","aliases":["GHSA-9j88-vvj5-vhgr"],"modified":"2026-07-08T08:14:29.552997555Z","published":"2026-04-24T03:07:24.335Z","database_specific":{"cwe_ids":["CWE-74"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41319.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41319.json"},{"type":"ADVISORY","url":"https://github.com/jstedfast/MailKit/security/advisories/GHSA-9j88-vvj5-vhgr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41319"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jstedfast/mailkit","events":[{"introduced":"0"},{"fixed":"33f045be0f64a255fe153acd640af37d80c0ede3"}],"database_specific":{"cpe":"cpe:2.3:a:jstedfast:mailkit:*:*:*:*:*:*:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"fixed":"4.16.0"}]}}],"versions":["4.15.1","4.15.0","4.14.1","4.14.0","4.13.0","4.12.1","4.12.0","4.11.0","4.10.0","4.9.0","4.8.0","4.7.1.1","4.7.1","4.7.0","4.6.0","4.5.0","4.4.0","4.3.0","4.2.0","4.1.0","4.0.0","3.6.0","3.5.0","3.4.3","3.4.2","3.4.1","3.4.0","3.3.0","3.2.0","3.1.1","3.1.0","3.0.0","2.15.0","2.14.0","2.13.0","2.12.0","2.11.1","2.11.0","2.10.1","2.10.0","2.9.0","2.8.0","2.7.0","2.6.0","2.5.2","2.5.1","2.5.0","2.4.1","2.4.0","2.3.2","2.3.1","2.3.0","2.2.0","2.1.5.1","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0.2","2.1.0","2.0.7","2.0.6","2.0.5","2.0.4","2.0.2","2.0.1","2.0.0","1.22.0","1.20.0","1.18.1.1","1.18.1","1.18.0","1.16.2","1.16.1","1.16.0","1.14.0","1.12.0","1.10.2","1.10.1","1.10.0","1.8.1","1.8.0","1.6.0","1.4.2","1.4.1","1.4.0","1.2.24","1.2.23","1.2.22","1.2.20","1.2.18","1.2.17","1.2.16","1.2.15","1.2.14","1.2.13","1.2.12","1.2.11.1","1.2.11","1.2.10","1.2.9","1.2.8","1.2.7","1.2.5","1.2.4","1.2.3","1.2.2","1.2.1","1.2.0","1.0.17","1.0.16","1.0.15","1.0.14","1.0.13","1.0.12","1.0.11","1.0.10","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41319.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}