Platform
roundcube
Component
roundcube/roundcubemail
Fixed in
1.5.14
1.6.14
1.7-rc5
CVE-2026-35537 describes an Insecure Deserialization vulnerability found in Roundcube Webmail versions prior to 1.5.14 and 1.6.14, specifically affecting versions up to and including 1.7-rc4. This flaw allows unauthenticated attackers to potentially perform arbitrary file write operations by manipulating session data. A fix is available in version 1.7-rc5, and users are strongly advised to upgrade to mitigate this risk.
CVE-2026-35537 in Roundcube Webmail, affecting versions prior to 1.5.14 and 1.6.14, poses a significant risk due to unsafe deserialization within the Redis/Memcache session handler. An unauthenticated attacker could exploit this flaw to perform arbitrary file write operations on the system. This could result in the modification or deletion of critical files, compromising the integrity of the mail server and potentially enabling malicious code execution. The severity of this vulnerability lies in the ease with which an attacker can exploit it without requiring credentials, making it an attractive target for malicious actors. The lack of authentication needed for exploitation amplifies the risk, as anyone with network access could attempt to take advantage of this weakness. Applying the security update is crucial to mitigate this risk.
The vulnerability is exploited by injecting malicious session data into the Redis/Memcache system. This data contains serialized code that, when deserialized by Roundcube Webmail, allows the attacker to execute arbitrary commands on the server. The lack of validation of session data before deserialization is the root cause of the vulnerability. An attacker can create a session with malicious data and then attempt to access Roundcube Webmail, which will trigger the deserialization and execution of the malicious code. Exploitation does not require authentication, making the attack easier. Penetration testing is recommended to identify potential weaknesses in the server configuration and security.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended solution to address CVE-2026-35537 is to update Roundcube Webmail to version 1.5.14 or higher, or to version 1.6.14 or higher. Version 1.7-rc5 also includes the fix. This update corrects the unsafe deserialization in the Redis/Memcache session handler, preventing the execution of arbitrary file write operations. In addition to the update, it is recommended to review the server configuration to ensure that Redis/Memcache sessions are adequately protected and isolated. Monitoring server logs for suspicious activity can also help detect and respond to potential exploitation attempts. If immediate updating is not possible, consider implementing additional security measures, such as restricting network access and implementing firewalls.
Actualice Roundcube Webmail a la versión 1.6.14 o superior para mitigar la vulnerabilidad de deserialización insegura. Esta actualización corrige la falla que permite a atacantes no autenticados realizar operaciones de escritura de archivos arbitrarios a través de datos de sesión manipulados.
Vulnerability analysis and critical alerts directly to your inbox.
Versions prior to 1.5.14 and 1.6.14 are vulnerable to this vulnerability.
Check the version of Roundcube Webmail you are using. If it is older than the mentioned versions, you are vulnerable.
Unsafe deserialization occurs when serialized data is deserialized without proper validation, allowing an attacker to inject malicious code.
Consider restricting network access, implementing firewalls, and monitoring server logs.
Currently, there are no specific tools, but penetration testing can help identify the vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.