CVE-2026-35541
published 2026-04-03CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that…
PriorityP423medium4.2CVSS 3.1
AVNACHPRLUINSUCLILAN
EPSS
0.24%
15.3th percentile
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) | roundcube 1.6.5+dfsg-1+deb12u8 (bookworm) |
| roundcube | roundcubemail | >= 1.7-beta < 1.7-rc5 | 1.7-rc5 |
| roundcube | webmail | < 1.5.14 | 1.5.14 |
| roundcube | webmail | >= 1.6.0 < 1.6.14 | 1.6.14 |
CVSS provenance
nvdv3.14.2MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
osv4.2MEDIUM
vendor_debian4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1
osv·2026-04-03·CVSS 4.2
CVE-2026-35541 [MEDIUM] CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
GHSA
Roundcube Webmail: Incorrect password comparison in the password plugin
ghsa·2026-04-03
CVE-2026-35541 [MEDIUM] CWE-843 Roundcube Webmail: Incorrect password comparison in the password plugin
Roundcube Webmail: Incorrect password comparison in the password plugin
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
OSV
Roundcube Webmail: Incorrect password comparison in the password plugin
osv·2026-04-03
CVE-2026-35541 [MEDIUM] Roundcube Webmail: Incorrect password comparison in the password plugin
Roundcube Webmail: Incorrect password comparison in the password plugin
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Debian
CVE-2026-35541: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect...
vendor_debian·2026·CVSS 4.2
CVE-2026-35541 [MEDIUM] CVE-2026-35541: roundcube - An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect...
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Scope: local
bookworm: resolved (fixed in 1.6.5+dfsg-1+deb12u8)
bullseye: resolved (fixed in 1.4.15+dfsg.1-1+deb11u8)
forky: resolved (fixed in 1.6.14+dfsg-1)
sid: resolved (fixed in 1.6.14+dfsg-1)
trixie: resolved (fixed in 1.6.15+dfsg-0+deb13u1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-82b702d826 (roundcubemail-1.6.15-1.el10_1) has been submitted as an update to Fedora EPEL 10.1.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-82b702d826
---
FEDORA-EPEL-2026-646aebe990 (roundcubemail-1.6.15-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-646aebe990
---
FEDORA-EPEL-2026-f7a0d90857 (roundcubemail-1.6.15-1.el10_
Bugzilla
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
bugzilla·2026-04-03·CVSS 3.1
CVE-2026-35538 [LOW] CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
CVE-2026-35538 CVE-2026-35539 CVE-2026-35540 CVE-2026-35541 CVE-2026-35542 CVE-2026-35544 roundcubemail: various flaws [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-6d293b6889 (roundcubemail-1.7~rc6-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6d293b6889
---
FEDORA-2026-8ba1a085a9 (roundcubemail-1.6.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-8ba1a085a9
---
FEDORA-2026-051825ca18 (roundcubemail-1.6.15-1.fc42) has been submitted as an update to Fedo
Wiz
CVE-2026-35541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35541 [MEDIUM] CVE-2026-35541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35541 :
PHP vulnerability analysis and mitigation
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Source : NVD
## 4.2
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
PHP
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roundcube/roundcubemail
roundcube
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM Has Fix Added at: Apr 05, 2026
Echo Severity MEDIUM Has Fix Added at: Apr 05, 2026
https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dcehttps://github.com/roundcube/roundcubemail/releases/tag/1.5.14https://github.com/roundcube/roundcubemail/releases/tag/1.6.14https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
2026-04-03
Published