Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Published: 2026-04-03
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Injection or CSRF bypass via IMAP SEARCH arguments
Action: Apply Patch
AI Analysis

Impact

Roundcube Webmail accepts IMAP SEARCH command arguments without proper sanitization, which permits an attacker to inject additional IMAP commands or bypass cross‑site request forgery protections when performing a mail search. The vulnerability is rooted in an injection weakness (CWE‑88). The flaw could allow an attacker to attempt unauthorized actions against the IMAP server or the mailbox contents by exploiting the unsanitized input.

Affected Systems

All installations of Roundcube Webmail earlier than version 1.5.14 or 1.6.14 are affected. The issue impacts every environment that uses these legacy releases, regardless of operating system or deployment method. Versions 1.5.14, 1.6.14, 1.7‑rc5, and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score is 3.1, indicating a low overall severity. An EPSS score below 1% suggests that real‑world exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the webmail interface, where an authenticated user may submit a crafted search query that is transmitted unfiltered to the IMAP server. These conditions are inferred from the description and are not explicitly stated in the source data.

Generated by OpenCVE AI on April 7, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.14 or 1.6.14 or later

Generated by OpenCVE AI on April 7, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-8jr8-v43g-5c57 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unsanitized IMAP SEARCH arguments in Roundcube allow injection or CSRF bypass

Tue, 07 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Unsanitized IMAP SEARCH arguments in Roundcube allow injection or CSRF bypass
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:11:22.365Z

Reserved: 2026-04-03T03:35:36.541Z

Link: CVE-2026-35538

cve-icon Vulnrichment

Updated: 2026-04-03T13:11:18.792Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T05:16:21.647

Modified: 2026-04-07T20:54:28.020

Link: CVE-2026-35538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:24Z

Weaknesses