CVE-2026-35537 PUBLISHED

Assigner: mitre
Reserved: 03.04.2026 Published: 03.04.2026 Updated: 03.04.2026

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Roundcube
Product	Webmail
Versions	Default: unaffected affected from 0 to 1.5.14 (excl.) affected from 1.6.0 to 1.6.14 (excl.)

References

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
https://github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
https://github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
https://github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506dd39df3

Problem Types

CWE-502 Deserialization of Untrusted Data CWE