Skip to main content

Roundcube Webmail EUVDEUVD-2026-43751

| CVE-2026-62644 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-07-14 mitre GHSA-q4q9-gcgm-p77w
6.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.4 MEDIUM

Network-reachable attack (AV:N) requires an authenticated session (PR:L), specific session manipulation conditions (AC:H), and user interaction (UI:R); successful exploitation yields full account takeover (C:H, I:H) with no availability impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 16:36 vuln.today
Analysis Generated
Jul 14, 2026 - 16:36 vuln.today

DescriptionCVE.org

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

AnalysisAI

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Roundcube with valid credentials
Delivery
Inject victim username into session data
Exploit
Trigger password plugin change workflow
Execution
Plugin processes spoofed session username
Persist
Set new password on victim account
Impact
Authenticate to victim mailbox with attacker-controlled credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the Roundcube password plugin must be explicitly enabled in the installation - it is not universally active by default and varies by hosting configuration; (2) the attacker must hold a valid, authenticated Roundcube session (CVSS PR:L); (3) user interaction is required per CVSS UI:R - the specific nature of this interaction is not detailed in available public data, but it may refer to a victim-side or attacker-side action needed to trigger the plugin; (4) attack complexity is high (AC:H), indicating specific session state conditions that must be met before the spoofed username is accepted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N scores 6.4 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Roundcube user injects a victim's username into the session data consumed by the password plugin, then triggers the password change workflow. The plugin, trusting session data over the authenticated principal, sets a new password on the victim's account rather than the attacker's. …
Remediation Upgrade to Roundcube Webmail 1.6.17 for 1.6.x deployments, or to 1.7.2 for 1.7.x deployments, per the vendor security announcement at https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2; the vendor explicitly recommends backing up data before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2016-9920 HIGH POC
7.5 Dec 08

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send

CVE-2020-12641 CRITICAL POC
9.8 May 04

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in

CVE-2020-12640 CRITICAL POC
9.8 May 04

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu

CVE-2015-2180 HIGH POC
8.8 Jan 30

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands

CVE-2024-42009 CRITICAL POC
9.3 Aug 05

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea

CVE-2015-2181 HIGH POC
8.8 Jan 30

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t

CVE-2017-8114 HIGH POC
8.8 Apr 29

Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-1000071 HIGH POC
7.5 Mar 13

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e

CVE-2020-12626 MEDIUM POC
6.5 May 04

An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2016-4552 MEDIUM POC
6.1 Dec 20

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w

CVE-2015-8793 MEDIUM POC
6.1 Jan 29

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2

Share

EUVD-2026-43751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy