CVE-2026-35537
Received Received - Intake
Unsafe Deserialization in Roundcube Session Handler Allows File Write

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: MITRE

Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35537
EUVD
EUVD-2026-18575
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.14 (exc)
roundcube webmail From 1.6.0 (inc) to 1.6.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35537 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves unsafe deserialization in the Redis/Memcache session handler, which allows unauthenticated attackers to perform arbitrary file write operations by crafting malicious session data.

The root cause is the unsafe instantiation of the GuzzleHttp\Cookie\FileCookieJar class during session handling. Attackers can exploit this to write files on the server before authentication.

The vulnerability was fixed by disabling the instantiation of the FileCookieJar class through an autoloader that throws an exception whenever this class is requested, effectively preventing unsafe deserialization paths that lead to arbitrary file writes.

Impact Analysis

This vulnerability allows unauthenticated attackers to write arbitrary files on the server running Roundcube Webmail. Such arbitrary file write can lead to further exploitation, including potential code execution, data manipulation, or disruption of service.

Because the attack can be performed before authentication, it bypasses normal access controls, increasing the risk and severity of the impact.

The CVSS base score of 3.7 indicates a low to medium severity, with the main impact being integrity loss (I:L) but no direct confidentiality or availability impact.

Mitigation Strategies

To mitigate the CVE-2026-35537 vulnerability in Roundcube Webmail, you should immediately upgrade your Roundcube installation to one of the fixed versions: 1.5.14, 1.6.14, or 1.7 RC5.

These updates include a security fix that disables the unsafe instantiation of the GuzzleHttp\Cookie\FileCookieJar class, which prevents unsafe deserialization in the Redis/Memcache session handler and blocks arbitrary file write attacks before authentication.

It is also recommended to back up your data before applying the update.

Compliance Impact

The vulnerability in Roundcube Webmail allows unauthenticated attackers to perform arbitrary file write operations via unsafe deserialization in the Redis/Memcache session handler. Such a security flaw could potentially lead to unauthorized data manipulation or exposure.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized file writes can increase the risk of data breaches or unauthorized access to sensitive information, which may impact compliance with data protection regulations.

Therefore, organizations using vulnerable versions of Roundcube Webmail might face increased risk of non-compliance with regulations that require protection of personal or sensitive data, due to the potential exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart