Description
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
Published: 2026-05-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roundcube Webmail's virtuser_query plugin has a flaw that bypasses backslash escaping in preg_replace, allowing the execution of arbitrary SQL statements without authentication. The vulnerability stems from inadequate sanitization of user input before it is incorporated into database queries, which can enable an attacker to query, modify, or delete data stored in the mail server's database.

Affected Systems

This issue affects installations of Roundcube Webmail version 1.6.x before 1.6.16 and version 1.7.x before 1.7.1 when the virtuser_query plugin is enabled. The vulnerability is tied to the plugin code referenced in the provided commits and release notes.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. An attacker can trigger the flaw by sending crafted requests to the webmail interface that target the virtuser_query plugin, gaining the ability to inject and execute SQL commands without needing authentication.

Generated by OpenCVE AI on May 25, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube to 1.6.16 or 1.7.1, or a later release that contains the patch for the virtuser_query plugin.
  • If an upgrade is not immediately possible, disable or remove the virtuser_query plugin from the system to eliminate the attack vector.
  • Restrict the database user account used by Roundcube to the minimum privileges required, reducing the impact of any remaining injection vulnerabilities.

Generated by OpenCVE AI on May 25, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4604-1 roundcube security update
Debian DSA Debian DSA DSA-6301-1 roundcube security update
History

Wed, 03 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Pre-Authentication SQL Injection in Roundcube's virtuser_query Plugin

Mon, 25 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-89
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T21:03:52.811Z

Reserved: 2026-05-25T19:06:36.924Z

Link: CVE-2026-48842

cve-icon Vulnrichment

Updated: 2026-06-03T21:03:52.811Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T20:16:36.630

Modified: 2026-06-03T22:16:34.923

Link: CVE-2026-48842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T23:00:10Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')