Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Network-reachable attack (AV:N) requires an authenticated session (PR:L), specific session manipulation conditions (AC:H), and user interaction (UI:R); successful exploitation yields full account takeover (C:H, I:H) with no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.
AnalysisAI
Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) the Roundcube password plugin must be explicitly enabled in the installation - it is not universally active by default and varies by hosting configuration; (2) the attacker must hold a valid, authenticated Roundcube session (CVSS PR:L); (3) user interaction is required per CVSS UI:R - the specific nature of this interaction is not detailed in available public data, but it may refer to a victim-side or attacker-side action needed to trigger the plugin; (4) attack complexity is high (AC:H), indicating specific session state conditions that must be met before the spoofed username is accepted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N scores 6.4 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Roundcube user injects a victim's username into the session data consumed by the password plugin, then triggers the password change workflow. The plugin, trusting session data over the authenticated principal, sets a new password on the victim's account rather than the attacker's. … |
| Remediation | Upgrade to Roundcube Webmail 1.6.17 for 1.6.x deployments, or to 1.7.2 for 1.7.x deployments, per the vendor security announcement at https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2; the vendor explicitly recommends backing up data before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t
Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e
An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remot
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43751
GHSA-q4q9-gcgm-p77w