{"id":"RUSTSEC-2026-0141","summary":"TLS hostname verification disabled when using Boring TLS backend","details":"An inverted-boolean bug in lettre's `boring-tls` integration silently\ndisables TLS hostname verification for callers using the default (strict)\nconfiguration. An on-path attacker presenting any chain-valid certificate\nfor any domain can intercept SMTP submission, including PLAIN/LOGIN\ncredentials and message contents, against any lettre user built with the\n`boring-tls` feature. Other TLS backends (`native-tls`, `rustls`) are\nunaffected.\n\nThe bug was introduced in v0.10.1 and persists through v0.11.21 (latest).","aliases":["GHSA-4pj9-g833-qx53"],"modified":"2026-05-14T09:15:06.684884Z","published":"2026-05-14T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lettre"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0141.html"},{"type":"ADVISORY","url":"https://github.com/lettre/lettre/security/advisories/GHSA-4pj9-g833-qx53"}],"affected":[{"package":{"name":"lettre","ecosystem":"crates.io","purl":"pkg:cargo/lettre"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.10.1"},{"fixed":"0.11.22"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"categories":["crypto-failure"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0141.json","informational":null,"cvss":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"}]}