PatchSiren cyber security CVE debrief

CVE-2020-37248 OfflineIMAP CVE debrief

CVE-2020-37248 is a MEDIUM severity vulnerability in OfflineIMAP that allows for STRIPTLS/man-in-the-middle attacks, enabling attackers to extract account credentials in cleartext. The vulnerability occurs because OfflineIMAP trusts the server with their STARTTLS capability prior to authentication. This issue was patched in version 8.0.3.

Vendor: OfflineIMAP
Product: offlineimap
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-08
Original CVE updated: 2026-06-09
Advisory published: 2026-06-08
Advisory updated: 2026-06-09

Who should care

Users of OfflineIMAP versions prior to 8.0.3 should update to the latest version to prevent potential man-in-the-middle attacks.

Technical summary

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext. The CVSS score for this vulnerability is 6.5, indicating a MEDIUM severity level.

Defensive priority

MEDIUM

Recommended defensive actions

Update OfflineIMAP to version 8.0.3 or later to fix the vulnerability.
Use secure communication protocols to protect against man-in-the-middle attacks.

Evidence notes

Evidence for this CVE comes from various sources, including the NVD and CVE.org.

Official resources

CVE-2020-37248 CVE record
CVE.org
CVE-2020-37248 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2020-37248 was published on 2026-06-08T16:16:33.257Z and modified on 2026-06-09T13:57:49.980Z.