Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Published: 2026-04-03
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Password Reset
Action: Patch Immediately
AI Analysis

Impact

A vulnerability was identified in Roundcube Webmail's password plugin where an improper comparison of password values introduces type confusion. This flaw enables an attacker to change a user's password without knowing the original password, thereby granting unauthorized access.

Affected Systems

The affected product is Roundcube Webmail. Versions prior to 1.5.14 and 1.6.14 contain the flaw. Users running these earlier releases should verify their installation and plan an upgrade.

Risk and Exploitability

The CVSS base score of 4.2 indicates moderate severity. The flaw is exploitable through the web interface that handles password changes, so a remote attacker who can authenticate to an account can abuse the weakness. No publicly available exploits are listed in the CISA KEV catalog, and EPSS data is not available, but the moderate score suggests vigilance.

Generated by OpenCVE AI on April 3, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied patch by upgrading to Roundcube 1.5.14, 1.6.14, or any later release such as 1.7‑RC5.
  • If an upgrade cannot be performed immediately, consider disabling the password change feature or implementing manual checks to enforce old password verification.

Generated by OpenCVE AI on April 3, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-46pv-mj2g-93gh Roundcube Webmail: Incorrect password comparison in the password plugin
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Password Change Without Old Password via Type Confusion in Roundcube Password Plugin
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:52:08.638Z

Reserved: 2026-04-03T03:50:46.901Z

Link: CVE-2026-35541

cve-icon Vulnrichment

Updated: 2026-04-03T12:52:05.290Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:22.283

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:53Z

Weaknesses