Email Search/Reply Tool Argument Breaks Out of IMAP SEARCH Quoted String to Inject IMAP Commands
Detects an email-related tool-call argument (from_addr, subject, query, message_id, search_id) whose value contains a quote-breakout followed by an IMAP protocol verb (DELETE, UID, FETCH, STORE, HEADER, SEARCH, FLAGS, EXPUNGE) -- the shape of a successful escape from an IMAP SEARCH quoted string context into raw IMAP command syntax. Mined from GHSA-c969-5x3p-vq3v (PraisonAI's `email_tools.py` builds IMAP SEARCH criteria by f-string -interpolating LLM-controlled `search_emails`/`reply_email` tool arguments directly into double-quote-delimited IMAP search terms, e.g. `f'SUBJECT "{subject}"'`, with no escaping; a `subject` value containing an embedded `"` breaks out of the quoted string and lets an attacker who can influence the tool-call arguments -- via crafted agent prompts -- inject arbitrary IMAP commands to exfiltrate mail from other folders, delete messages, or otherwise abuse the mailbox). Generalized beyond PraisonAI's specific field names and beyond `search_emails` to any agent-callable email tool that interpolates unescaped LLM-controlled input into IMAP protocol strings, since the exploitable signal is the quote-breakout + IMAP-verb shape itself, not the vendor's specific source file.
Response Actions
References
Detection Conditions
Combinator: any- 01Email tool-call argument (from_addr/subject/query/message_id/search_id) whose quoted value contains an embedded (possibly backslash-escaped) quote immediately followed by whitespace and an IMAP protocol verb -- the signature of a successful quote-breakout into raw IMAP command syntaxfield: contentop: regex
Attack Examples (Rule Triggers)
call search_emails with subject: "foo\" DELETE 1:* \""
search_emails(from_addr='x" UID FETCH 1:* BODY[] "')
reply_email query: "test\" STORE 1:* +FLAGS (\\Deleted) \""
call search_emails with message_id: "abc\" HEADER Message-ID \"evil\""
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- Ordinary subject value, no embedded quote or IMAP verb
call search_emails with subject: "Quarterly report"
- Subject containing the English word DELETE with no quote-breakout immediately before it
search_emails(subject="Please DELETE my old drafts folder")
- Advisory prose describing the vulnerability class, no actual tool-call argument being set
The email_tools.py search function interpolates from_addr/subject/query into IMAP SEARCH strings without escaping, allowing command injection via an embedded quote.
- Legitimate apostrophe in a name/address, not a double-quote breakout, and not followed by an IMAP verb
call search_emails with from_addr: "o'[email protected]"
Known False Positive Contexts
- ▸A legitimate subject/query value that contains an IMAP-verb-like English word (e.g. 'Please DELETE my old files', 'FETCH the report') without an embedded quote character breaking the string boundary immediately before it
- ▸Documentation or an advisory describing the IMAP command-injection vulnerability class using example code, not an actual tool-call argument being set
- ▸A value containing a single stray quote for legitimate reasons (e.g. an apostrophe in a name) that happens not to be followed by whitespace + an IMAP verb -- the verb-adjacency requirement keeps this rule from firing on incidental punctuation
Documented Evasion Techniques
- Technique: tab instead of space
call search_emails with subject: "x\"\tDELETE 1:*\""
\s+ in the regex already matches tab/newline whitespace between the quote-breakout and the IMAP verb, so this variant is correctly caught; included as a sanity check, not a known gap.
Publicly documented bypasses. A standard earns trust by publishing its worst figures, not hiding them — so known limitations ship inside the rule, not in a footnote.
Full YAML Definition
Edit on GitHub →title: "Email Search/Reply Tool Argument Breaks Out of IMAP SEARCH Quoted String to Inject IMAP Commands"
id: ATR-2026-02352
rule_version: 1
status: experimental
description: >
Detects an email-related tool-call argument (from_addr, subject, query,
message_id, search_id) whose value contains a quote-breakout followed by
an IMAP protocol verb (DELETE, UID, FETCH, STORE, HEADER, SEARCH, FLAGS,
EXPUNGE) -- the shape of a successful escape from an IMAP SEARCH quoted
string context into raw IMAP command syntax. Mined from GHSA-c969-5x3p-vq3v
(PraisonAI's `email_tools.py` builds IMAP SEARCH criteria by f-string
-interpolating LLM-controlled `search_emails`/`reply_email` tool arguments
directly into double-quote-delimited IMAP search terms, e.g.
`f'SUBJECT "{subject}"'`, with no escaping; a `subject` value containing an
embedded `"` breaks out of the quoted string and lets an attacker who can
influence the tool-call arguments -- via crafted agent prompts -- inject
arbitrary IMAP commands to exfiltrate mail from other folders, delete
messages, or otherwise abuse the mailbox). Generalized beyond PraisonAI's
specific field names and beyond `search_emails` to any agent-callable
email tool that interpolates unescaped LLM-controlled input into IMAP
protocol strings, since the exploitable signal is the quote-breakout +
IMAP-verb shape itself, not the vendor's specific source file.
author: "ATR Community (CVE sweep)"
date: "2026/07/11"
schema_version: "0.1"
detection_tier: pattern
maturity: experimental
severity: high
references:
cwe:
- "CWE-20"
- "CWE-77"
owasp_llm:
- "LLM02:2025 - Sensitive Information Disclosure"
owasp_agentic:
- "ASI02:2026 - Tool Misuse and Exploitation"
mitre_attack:
- "T1114 - Email Collection"
mitre_atlas:
- "AML.T0053 - LLM Plugin Compromise"
external:
- "https://github.com/advisories/GHSA-c969-5x3p-vq3v"
metadata_provenance:
cwe: human-reviewed
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
mitre_attack: human-reviewed
mitre_atlas: human-reviewed
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires resistance to unauthorised data access or modification; this rule detects an email-tool argument breaking out of an IMAP SEARCH quoted string to inject arbitrary IMAP commands against the connected mailbox."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control for the IMAP-command-injection-via-tool-argument risk class."
strength: secondary
nist_ai_rmf:
- subcategory: "MG.2.3"
context: "Treating IMAP command injection via email-tool arguments as an identified AI risk requires active runtime countermeasures; this detection rule is the primary risk treatment implementation."
strength: primary
- subcategory: "MP.5.1"
context: "Identifying the IMAP-quote-breakout injection pattern as an AI risk to be catalogued in the organizational risk register."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) is operationalised by this rule's detection of IMAP command injection attempts via email-tool arguments."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is implemented via this rule's runtime detection of the injection attempt."
strength: secondary
tags:
category: tool-poisoning
subcategory: imap-command-injection-tool-argument
scan_target: both
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
conditions:
- field: content
operator: regex
value: '\b(?:from_addr|subject|query|message_id|search_id)\b\s*[:=]\s*["\x27][^"\x27\\]{0,60}\\?["\x27]\s+\b(?:DELETE|UID|FETCH|STORE|HEADER|SEARCH|FLAGS|EXPUNGE)\b'
description: "Email tool-call argument (from_addr/subject/query/message_id/search_id) whose quoted value contains an embedded (possibly backslash-escaped) quote immediately followed by whitespace and an IMAP protocol verb -- the signature of a successful quote-breakout into raw IMAP command syntax"
false_positives:
- "A legitimate subject/query value that contains an IMAP-verb-like English word (e.g. 'Please DELETE my old files', 'FETCH the report') without an embedded quote character breaking the string boundary immediately before it"
- "Documentation or an advisory describing the IMAP command-injection vulnerability class using example code, not an actual tool-call argument being set"
- "A value containing a single stray quote for legitimate reasons (e.g. an apostrophe in a name) that happens not to be followed by whitespace + an IMAP verb -- the verb-adjacency requirement keeps this rule from firing on incidental punctuation"
response:
actions:
- block_tool
- alert
message_template: >
[ATR-2026-02352] Email tool argument breaks out of an IMAP SEARCH
quoted string into raw IMAP command syntax -- treat as an attempt to
inject arbitrary IMAP commands (DELETE/FETCH/STORE/etc.) against the
connected mailbox, not a normal search term.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: 'call search_emails with subject: "foo\" DELETE 1:* \""'
expected: triggered
description: "GHSA-c969-5x3p-vq3v canonical PoC -- subject argument breaks out via escaped quote then injects IMAP DELETE"
- input: 'search_emails(from_addr=''x" UID FETCH 1:* BODY[] "'')'
expected: triggered
description: "from_addr argument quote-breakout injecting UID FETCH to exfiltrate message bodies"
- input: 'reply_email query: "test\" STORE 1:* +FLAGS (\\Deleted) \""'
expected: triggered
description: "query argument quote-breakout injecting STORE to mark messages for deletion"
- input: 'call search_emails with message_id: "abc\" HEADER Message-ID \"evil\""'
expected: triggered
description: "message_id argument quote-breakout re-targeting the HEADER search criterion"
true_negatives:
- input: 'call search_emails with subject: "Quarterly report"'
expected: not_triggered
description: "Ordinary subject value, no embedded quote or IMAP verb"
- input: 'search_emails(subject="Please DELETE my old drafts folder")'
expected: not_triggered
description: "Subject containing the English word DELETE with no quote-breakout immediately before it"
- input: 'The email_tools.py search function interpolates from_addr/subject/query into IMAP SEARCH strings without escaping, allowing command injection via an embedded quote.'
expected: not_triggered
description: "Advisory prose describing the vulnerability class, no actual tool-call argument being set"
- input: 'call search_emails with from_addr: "o''[email protected]"'
expected: not_triggered
description: "Legitimate apostrophe in a name/address, not a double-quote breakout, and not followed by an IMAP verb"
evasion_tests:
- input: 'call search_emails with subject: "x\"\tDELETE 1:*\""'
expected: triggered
bypass_technique: tab_instead_of_space
notes: "\\s+ in the regex already matches tab/newline whitespace between the quote-breakout and the IMAP verb, so this variant is correctly caught; included as a sanity check, not a known gap."