Username Spoofing Vulnerability in Roundcube Webmail
CVE-2026-62644

6.4MEDIUM

Key Information:

Vendor

Roundcube

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-62644?

A vulnerability in the password plugin of Roundcube Webmail allows for username spoofing through manipulated session data. This could expose the application to account takeover risks. Users are advised to update to versions 1.6.17 or 1.7.2 to mitigate these risks.

Affected Version(s)

Webmail 1.6.0 < 1.6.17

Webmail 1.7.0 < 1.7.2

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.