Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Published: 2026-04-03
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary file write via unsafe session deserialization
Action: Patch Immediately
AI Analysis

Impact

Roundcube Webmail contains an unsafe deserialization flaw in its Redis/Memcache session handler. When a crafted session payload is deserialized, the attacker can trigger arbitrary file write operations on the server. This allows overwrite or creation of files, potentially enabling the deployment of malicious scripts or the modification of configuration files.

Affected Systems

The vulnerability affects all Roundcube Webmail installations running versions prior to 1.5.14 or 1.6.14 that use the Redis or Memcache session handling modules. Any deployment employing those session stores is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 3.7, indicating moderate severity, and an EPSS score of less than 1 %, suggesting low likelihood of widespread exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can execute the flaw without authentication by supplying a maliciously crafted session payload, granting the ability to write files wherever the webmail process has write permission.

Generated by OpenCVE AI on April 13, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube to a version equal to or later than 1.5.14 or 1.6.14.
  • If an upgrade is not possible, disable the Redis/Memcache session handlers or configure them to reject unauthenticated session data.
  • Restrict external access to the session storage backend or apply firewall rules to block unauthenticated write attempts.

Generated by OpenCVE AI on April 13, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-rxj3-rrwm-pj4r Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler
History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Roundcube Webmail Unsafe Deserialization Enables Unauthenticated File Write via Session Data

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Sat, 11 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-11T14:12:39.387Z

Reserved: 2026-04-03T03:28:28.897Z

Link: CVE-2026-35537

cve-icon Vulnrichment

Updated: 2026-04-11T14:12:39.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T04:17:10.313

Modified: 2026-04-13T17:54:32.260

Link: CVE-2026-35537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:51Z

Weaknesses