IMAP Injection and CSRF Bypass Vulnerability in Roundcube Webmail
CVE-2026-35538

3.1LOW

Key Information:

Vendor

Roundcube

Status
Webmail
Vendor
CVE Published:
3 April 2026

What is CVE-2026-35538?

A security flaw in Roundcube Webmail versions prior to 1.5.14 and 1.6.14 allows attackers to exploit unsanitized IMAP SEARCH command arguments. This vulnerability could facilitate IMAP injection attacks or open the door for CSRF bypass during email search operations, potentially compromising user data and system integrity.

Affected Version(s)

Webmail 0 < 1.5.14

Webmail 1.6.0 < 1.6.14

References

https://roundcube.net/news/2026/03/18/security-updates-1....
https://github.com/roundcube/roundcubemail/releases/tag/1...
https://github.com/roundcube/roundcubemail/commit/5fe8a69...

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.