Arbitrary File Deletion Vulnerability in Roundcube Webmail by Roundcube
CVE-2026-48847

3.7LOW

Key Information:

Vendor: Roundcube
Status: Webmail
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-48847?

Roundcube Webmail versions prior to 1.6.16 and 1.7.1 are susceptible to an arbitrary file deletion vulnerability due to a pre-authentication session poisoning bypass involving redis or memcache. This issue can lead to unauthorized deletion of files without proper authentication, potentially compromising sensitive information and disrupting service functionality. Users are encouraged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

Webmail 1.6.0 < 1.6.16

Webmail 1.7.0 < 1.7.1

References

https://roundcube.net/news/2026/05/24/security-updates-1....

https://github.com/roundcube/roundcubemail/releases/tag/1...

https://github.com/roundcube/roundcubemail/commit/a4eb375...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 25, 2026

CVE-2026-48847 Data

JSON