Return to Sender: Unauthenticated IMAP Command Injection in directorytree/imapengine

Vulnerability ID: CVE-2026-2469
CVSS Score: 7.6
Published: 2026-02-14

A critical failure in input sanitization within the directorytree/imapengine PHP library allows attackers to perform IMAP Command Injection. By manipulating the parameters passed to the id() method, malicious actors can break out of the protocol's quoted-string syntax and inject arbitrary IMAP commands. This can lead to unauthorized email exfiltration, data modification, or denial of service against the mail server.

TL;DR

The id() method in directorytree/imapengine (< 1.22.3) concatenates user input directly into IMAP commands without escaping. Attackers can inject double quotes and CRLF sequences to execute unauthorized commands like FETCH or LOGOUT.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-74 / CWE-93
• Attack Vector: Network (IMAP Protocol)
• CVSS v3.1: 7.6 (High)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
• Exploit Status: Proof of Concept Available
• Platform: PHP

Affected Systems

• PHP applications using directorytree/imapengine < 1.22.3
• Webmail clients
• Email processing workers
• directorytree/imapengine: < 1.22.3 (Fixed in: 1.22.3)

Code Analysis

Commit: 87fca56

Fix command injection in ID command

- $token .= '"'.$id.'" ';
+ $token .= '"'.Str::escape($id).'" ';

Exploit Details

• Gist: Proof of Concept for CVE-2026-2469 showing session termination

Mitigation Strategies

• Input Sanitization
• Library Update
• Network Traffic Analysis

Remediation Steps:

1. Update directorytree/imapengine to version >= 1.22.3 via Composer.
2. Audit application code for any user-controlled data passed to the id() method.
3. Implement strict validation (alphanumeric only) on fields mapped to IMAP identification tags.

References

• Snyk Advisory
• RFC 2971 - IMAP ID Extension

Read the full report for CVE-2026-2469 on our website for more details including interactive diagrams and full exploit analysis.