CVE-2026-62644

Summary

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

Affected Software

VendorProductVersion RangeStatus
RoundcubeWebmail1.6.0 < 1.6.17affected
RoundcubeWebmail1.7.0 < 1.7.2affected

Weaknesses

  • CWE-290: CWE-290 Authentication Bypass by Spoofing

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References