Description
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
Published: 2026-05-25
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allow an attacker to delete arbitrary files on the server before authenticating by poisoning session data stored in Redis or Memcache. The vulnerability is a result of insecure handling of session identifiers and the ability to write arbitrary paths to the session store, which can be exploited to remove critical files or disrupt service. The impact of this flaw includes permanent data loss or sabotage of the webmail service, compromising service availability and potentially resulting in loss of user data.

Affected Systems

The affected software is Roundcube Webmail. Vulnerable revisions are 1.6.x preceding 1.6.16 and 1.7.x preceding 1.7.1. Administrators using Roundcube before these releases should verify the installed version against the official release notes.

Risk and Exploitability

The CVSS score of 3.7 classifies the risk as medium, but because the attack can be performed without authentication, the potential damage is significant. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. Attackers can trigger the bug by manipulating session data via Redis or Memcache, which suggests that the attack vector is network‑based session poisoning. The vulnerability requires no special privileges to initiate and can be executed by an unauthenticated actor who can influence the session store.

Generated by OpenCVE AI on May 25, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Roundcube 1.6.16 or 1.7.1 release, which contains the session handling fix.
  • Disable or secure access to the Redis/Memcache session storage, ensuring only trusted processes can modify session data.
  • Configure strict permissions on the webmail installation directory to prevent deletion of critical files by unprivileged users.

Generated by OpenCVE AI on May 25, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4604-1 roundcube security update
Debian DSA Debian DSA DSA-6301-1 roundcube security update
History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Pre-authentication Arbitrary File Deletion via Session Poisoning in Roundcube Webmail

Mon, 25 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-669
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T13:02:10.123Z

Reserved: 2026-05-25T19:23:40.394Z

Link: CVE-2026-48847

cve-icon Vulnrichment

Updated: 2026-05-26T13:02:05.131Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T20:16:37.287

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-48847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T21:00:10Z

Weaknesses
  • CWE-669

    Incorrect Resource Transfer Between Spheres