GHSA-9j88-vvj5-vhgr: STARTTLS Response Injection and SASL Downgrade in MailKit Vulnerability ID: GHSA-9J88-VVJ5-VHGR CVSS Score: 6.5 Published: 2026-04-18 MailKit versions prior to 4.16.0 contain a STARTTLS response injection vulnerability. A network-positioned attacker can inject plaintext protocol responses into the client's internal read buffer before the TLS handshake completes, causing the client to process the injected data post-TLS. This flaw typically facilitates SASL mechanism downgrades. A flaw in MailKit's stream handling allows a Man-in-the-Middle attacker to inject malicious protocol data during the STARTTLS upgrade. The unflushed internal buffer causes the client to process this unencrypted data as a legitimate post-TLS response, enabling authentication downgrades. CWE ID: CWE-74 Attack Vector: Network (MitM) CVSS Score: 6.5 Impact: Integrity (High) - SASL Downgrade Exploit Status: Proof-of-Concept MailKit < 4.16.0 MailKit: < 4.16.0 (Fixed in: 4.16.0) Update MailKit to version 4.16.0 or newer. Enforce implicit TLS (SslOnConnect) on dedicated secure ports (465, 993, 995) instead of relying on STARTTLS. Remediation Steps: Identify projects referencing MailKit via csproj or packages.config. Update the NuGet package reference to version 4.16.0 or higher. Recompile and deploy the application. Audit network configurations to ensure implicit TLS is preferred over explicit STARTTLS. GitHub Advisory: GHSA-9j88-vvj5-vhgr OSV Record MailKit Repository Vendor Security Advisory Read the full report for GHSA-9J88-VVJ5-VHGR on our website for more details including interactive diagrams and full exploit analysis.