CVE-2026-35541 PUBLISHED

Assigner: mitre
Reserved: 03.04.2026 Published: 03.04.2026 Updated: 03.04.2026

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 4.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Roundcube
Product	Webmail
Versions	Default: unaffected affected from 0 to 1.5.14 (excl.) affected from 1.6.0 to 1.6.14 (excl.)

References

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394

Problem Types

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') CWE