CVE-2026-35538
IMAP Injection and CSRF Bypass in Roundcube Webmail
Publication date: 2026-04-03
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.14 (exc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Roundcube Webmail before versions 1.5.14 and 1.6.14 involves unsanitized input in the IMAP SEARCH command. Attackers could exploit newline characters in the search filter input to inject arbitrary IMAP commands, a technique known as IMAP Injection.
Additionally, this flaw allowed a Cross-Site Request Forgery (CSRF) bypass during mail search operations, meaning attackers could perform unauthorized mail search actions by exploiting the lack of proper input sanitization and session validation.
The vulnerability was fixed by sanitizing user inputs to remove newline characters from the IMAP SEARCH filter and the Message-ID header, preventing injection of malicious commands and closing the CSRF bypass vector.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject unauthorized IMAP commands through the mail search functionality, potentially leading to unauthorized manipulation of mail search queries.
Because of the CSRF bypass, attackers might execute mail search actions without proper authorization, which could lead to unauthorized access or manipulation of email data.
While the CVSS base score is relatively low (3.1), indicating limited impact on confidentiality and availability, the integrity of mail search operations can be compromised, potentially affecting the security of your email environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsanitized IMAP SEARCH command arguments that could lead to IMAP injection or CSRF bypass during mail search in Roundcube Webmail. Detection would involve monitoring IMAP SEARCH commands for suspicious input containing newline characters that could be used to inject additional IMAP commands.
One approach to detect exploitation attempts is to analyze IMAP traffic logs or capture network packets to identify IMAP SEARCH commands containing newline characters (\r or \n) in their arguments, which are not normally expected.
For example, using a network packet capture tool like tcpdump or Wireshark, you could filter IMAP SEARCH commands and look for suspicious payloads. A sample tcpdump command might be:
- tcpdump -i <interface> -A port 143 | grep -i 'SEARCH'
Then manually inspect the SEARCH command arguments for newline characters or unusual formatting that could indicate an injection attempt.
Additionally, reviewing Roundcube Webmail logs for unusual search requests or errors related to IMAP commands might help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Roundcube Webmail to a version that includes the security fix for CVE-2026-35538. The fix sanitizes IMAP SEARCH command inputs by removing newline characters to prevent IMAP injection and closes the CSRF bypass in mail search.
Specifically, upgrade to Roundcube version 1.7-rc4 or later, or at least versions 1.5.14 or 1.6.14 where the patch has been applied.
If immediate upgrading is not possible, consider implementing network-level filtering to block IMAP SEARCH commands containing newline characters or unusual input patterns, although this is less reliable than applying the patch.
Also, review and harden CSRF protections in your webmail environment to prevent unauthorized mail search requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail allowed IMAP injection and CSRF bypass during mail search, which could potentially lead to unauthorized manipulation of mail search queries and exposure of data.
Such unauthorized access or manipulation of email data could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.
By enabling attackers to inject arbitrary IMAP commands or bypass CSRF protections, the vulnerability could facilitate unauthorized data access or actions, thereby increasing the risk of non-compliance with these regulations.
The fix mitigates these risks by sanitizing inputs to prevent injection and CSRF bypass, helping maintain compliance by protecting the integrity and confidentiality of email data.