Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Published: 2026-04-03
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential IMAP injection or CSRF bypass in Roundcube mail search
Action: Apply Patch
AI Analysis

Impact

Roundcube Webmail permits users to submit IMAP SEARCH commands with arguments that are not properly sanitized. A crafted search query can inject additional IMAP instructions or allow an attacker to bypass CSRF protections during a mail search, which may expose private messages or compromise the authenticated session. The vulnerability is a form of injection that could be used to manipulate the mailbox or access data not intended for the user.

Affected Systems

The flaw exists in all Roundcube releases prior to 1.5.14 and 1.6.14. Administrators should upgrade to the latest available releases—1.5.14, 1.6.14, 1.7‑rc5, or the current stable version—to eliminate the risk.

Risk and Exploitability

The assigned CVSS score of 3.1 indicates low severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely involves forging IMAP SEARCH requests, possibly under an authenticated user, and does not require elevated privileges. The attack path is straightforward, so prompt patching is recommended to mitigate potential data exposure or CSRF bypass.

Generated by OpenCVE AI on April 3, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube to version 1.5.14 or later (1.6.14, 1.7‑rc5, or the latest release).
  • Verify that the running code base reflects the patched version and that all instances use the updated binaries.
  • If an upgrade cannot be performed immediately, restrict or validate IMAP SEARCH queries on the server side to prevent malicious input.
  • Ensure that CSRF tokens are enforced for any search-related actions in the webmail interface.

Generated by OpenCVE AI on April 3, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8jr8-v43g-5c57 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Unsanitized IMAP SEARCH arguments in Roundcube allow injection or CSRF bypass
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:11:22.365Z

Reserved: 2026-04-03T03:35:36.541Z

Link: CVE-2026-35538

cve-icon Vulnrichment

Updated: 2026-04-03T13:11:18.792Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:21.647

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:56Z

Weaknesses