Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Published: 2026-04-03
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Password Reset
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Roundcube Webmail password plugin allows an attacker to change an account password without providing the current password. The weakness, identified as CWE-843, arises from a type confusion in the password comparison logic, permitting an unauthorized alteration of credentials and potential account takeover.

Affected Systems

All installations of Roundcube Webmail running a version earlier than 1.5.14 or 1.6.14 are affected. These versions lack the mitigation present in the 1.5.14, 1.6.14, and later releases such as 1.7‑rc5.

Risk and Exploitability

The CVSS base score of 4.2 indicates moderate risk, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Inferred from the description, the attack vector involves submitting a password change request via the web interface, likely after an attacker has authenticated or obtained session credentials. Successfully exploiting the flaw would enable password reset without the old password, thereby compromising the account.

Generated by OpenCVE AI on April 7, 2026 at 22:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or a newer release such as 1.7‑rc5.
  • Confirm that the updated password plugin enforces the old password field during a password change.
  • If an immediate upgrade is not possible, limit access to the password change page to authenticated users and monitor for unusual changes.
  • Audit all user accounts for suspicious password changes and reset credentials as needed.

Generated by OpenCVE AI on April 7, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-46pv-mj2g-93gh Roundcube Webmail: Incorrect password comparison in the password plugin
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Password Change Without Old Password via Type Confusion in Roundcube Password Plugin

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Password Change Without Old Password via Type Confusion in Roundcube Password Plugin
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:52:08.638Z

Reserved: 2026-04-03T03:50:46.901Z

Link: CVE-2026-35541

cve-icon Vulnrichment

Updated: 2026-04-03T12:52:05.290Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T05:16:22.283

Modified: 2026-04-07T20:45:56.447

Link: CVE-2026-35541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:22Z

Weaknesses