Skip to main content

Roundcube Webmail EUVD-2026-31724

| CVE-2026-48847 LOW
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-05-25 mitre GHSA-9vwp-h229-h4cm
Authentication Bypass Redis Webmail
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 13:31 vuln.today
Analysis Generated
Jun 08, 2026 - 13:31 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

AnalysisAI

Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Roundcube instance using Redis/Memcache sessions
Delivery
Locate exposed or unauthenticated cache backend
Exploit
Write crafted session payload to cache store
Execution
Issue unauthenticated HTTP request triggering session load
Persist
Bypass pre-authentication guard via poisoned session
Impact
Trigger arbitrary file deletion on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Roundcube must be explicitly configured to use Redis or Memcache as its session storage backend (set via $config['session_storage'] = 'redis' or 'memcache'); the default file-based or database session storage is NOT affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.7 (Low) is driven by AC:H (high attack complexity), S:U (unchanged scope), and A:L (low availability impact), which together substantially suppress the score despite PR:N (no privileges required) and AV:N (network-accessible). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has access to an exposed or unauthenticated Redis instance serving as Roundcube's session backend writes a specially crafted session payload designed to spoof a valid pre-authentication state and direct file deletion logic to a target path. When Roundcube's session handler loads this poisoned record during a standard unauthenticated request, it bypasses the pre-auth guard and executes the file deletion. …
Remediation Upgrade to Roundcube Webmail 1.6.16 or 1.7.1 immediately, as confirmed by the vendor security announcement at https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1, with GitHub release artifacts at https://github.com/roundcube/roundcubemail/releases/tag/1.6.16 and https://github.com/roundcube/roundcubemail/releases/tag/1.7.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48006 HIGH
8.7 Jun 11

Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated att

Share

EUVD-2026-31724 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy