CVE-2026-62644
6.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Roundcube | Webmail | 1.6.0 < 1.6.17 | affected |
| Roundcube | Webmail | 1.7.0 < 1.7.2 | affected |
Weaknesses
- CWE-290: CWE-290 Authentication Bypass by Spoofing
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2
- https://github.com/roundcube/roundcubemail/releases/tag/1.7.2
- https://github.com/roundcube/roundcubemail/commit/7414fef51cd2407d39faab99680763f10ed5231d
- https://github.com/roundcube/roundcubemail/commit/9a96c20d8c7c9135876b68bebd6960af3ee60923
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.17
- https://github.com/roundcube/roundcubemail/commit/83150ce04d689a70f92d511bcae40adba8d55476
- https://github.com/roundcube/roundcubemail/commit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.