Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Published: 2026-04-03
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Write by Unauthenticated Attacker
Action: Apply Patch
AI Analysis

Impact

The vulnerability involves unsafe deserialization in the redis/memcache session handler of Roundcube Webmail. It allows unauthenticated attackers to craft session data that triggers arbitrary file write operations. This flaw is a form of deserialization vulnerability, identified as CWE-502, and can potentially be used to tamper with or overwrite files on the server, affecting the confidentiality, integrity, and availability of the application.

Affected Systems

Roundcube Webmail versions prior to 1.5.14 and 1.6.14 are affected. The issue is tied to the use of redis or memcache for session storage in these releases.

Risk and Exploitability

The CVSS v3.1 score is 3.7, indicating low overall severity, but the lack of authentication requirement makes the risk higher in practice. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending crafted session data to the webmail instance, which the redis/memcache handler deserializes and writes to disk without proper validation.

Generated by OpenCVE AI on April 3, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube to the latest stable release (1.5.14, 1.6.14, or newer).
  • If a patch cannot be applied immediately, disable the redis/memcache session handler or switch to a secure session storage mechanism.
  • Review and restrict write permissions for the webmail document root to prevent unauthorized file modifications.

Generated by OpenCVE AI on April 3, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxj3-rrwm-pj4r Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:11:42.666Z

Reserved: 2026-04-03T03:28:28.897Z

Link: CVE-2026-35537

cve-icon Vulnrichment

Updated: 2026-04-03T13:11:38.513Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T04:17:10.313

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:57Z

Weaknesses