CVE-2026-35537
Unsafe Deserialization in Roundcube Session Handler Allows File Write
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.14 (exc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35537 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves unsafe deserialization in the Redis/Memcache session handler, which allows unauthenticated attackers to perform arbitrary file write operations by crafting malicious session data.
The root cause is the unsafe instantiation of the GuzzleHttp\Cookie\FileCookieJar class during session handling. Attackers can exploit this to write files on the server before authentication.
The vulnerability was fixed by disabling the instantiation of the FileCookieJar class through an autoloader that throws an exception whenever this class is requested, effectively preventing unsafe deserialization paths that lead to arbitrary file writes.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to write arbitrary files on the server running Roundcube Webmail. Such arbitrary file write can lead to further exploitation, including potential code execution, data manipulation, or disruption of service.
Because the attack can be performed before authentication, it bypasses normal access controls, increasing the risk and severity of the impact.
The CVSS base score of 3.7 indicates a low to medium severity, with the main impact being integrity loss (I:L) but no direct confidentiality or availability impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-35537 vulnerability in Roundcube Webmail, you should immediately upgrade your Roundcube installation to one of the fixed versions: 1.5.14, 1.6.14, or 1.7 RC5.
These updates include a security fix that disables the unsafe instantiation of the GuzzleHttp\Cookie\FileCookieJar class, which prevents unsafe deserialization in the Redis/Memcache session handler and blocks arbitrary file write attacks before authentication.
It is also recommended to back up your data before applying the update.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail allows unauthenticated attackers to perform arbitrary file write operations via unsafe deserialization in the Redis/Memcache session handler. Such a security flaw could potentially lead to unauthorized data manipulation or exposure.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized file writes can increase the risk of data breaches or unauthorized access to sensitive information, which may impact compliance with data protection regulations.
Therefore, organizations using vulnerable versions of Roundcube Webmail might face increased risk of non-compliance with regulations that require protection of personal or sensitive data, due to the potential exploitation of this vulnerability.