CVE-2026-35538
Received Received - Intake
IMAP Injection and CSRF Bypass in Roundcube Webmail

Publication date: 2026-04-03

Last updated on: 2026-04-07

Assigner: MITRE

Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35538
EUVD
EUVD-2026-18579
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.14 (exc)
roundcube webmail From 1.6.0 (inc) to 1.6.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Roundcube Webmail before versions 1.5.14 and 1.6.14 involves unsanitized input in the IMAP SEARCH command. Attackers could exploit newline characters in the search filter input to inject arbitrary IMAP commands, a technique known as IMAP Injection.

Additionally, this flaw allowed a Cross-Site Request Forgery (CSRF) bypass during mail search operations, meaning attackers could perform unauthorized mail search actions by exploiting the lack of proper input sanitization and session validation.

The vulnerability was fixed by sanitizing user inputs to remove newline characters from the IMAP SEARCH filter and the Message-ID header, preventing injection of malicious commands and closing the CSRF bypass vector.

Impact Analysis

This vulnerability can allow attackers to inject unauthorized IMAP commands through the mail search functionality, potentially leading to unauthorized manipulation of mail search queries.

Because of the CSRF bypass, attackers might execute mail search actions without proper authorization, which could lead to unauthorized access or manipulation of email data.

While the CVSS base score is relatively low (3.1), indicating limited impact on confidentiality and availability, the integrity of mail search operations can be compromised, potentially affecting the security of your email environment.

Detection Guidance

This vulnerability involves unsanitized IMAP SEARCH command arguments that could lead to IMAP injection or CSRF bypass during mail search in Roundcube Webmail. Detection would involve monitoring IMAP SEARCH commands for suspicious input containing newline characters that could be used to inject additional IMAP commands.

One approach to detect exploitation attempts is to analyze IMAP traffic logs or capture network packets to identify IMAP SEARCH commands containing newline characters (\r or \n) in their arguments, which are not normally expected.

For example, using a network packet capture tool like tcpdump or Wireshark, you could filter IMAP SEARCH commands and look for suspicious payloads. A sample tcpdump command might be:

  • tcpdump -i <interface> -A port 143 | grep -i 'SEARCH'

Then manually inspect the SEARCH command arguments for newline characters or unusual formatting that could indicate an injection attempt.

Additionally, reviewing Roundcube Webmail logs for unusual search requests or errors related to IMAP commands might help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation is to update Roundcube Webmail to a version that includes the security fix for CVE-2026-35538. The fix sanitizes IMAP SEARCH command inputs by removing newline characters to prevent IMAP injection and closes the CSRF bypass in mail search.

Specifically, upgrade to Roundcube version 1.7-rc4 or later, or at least versions 1.5.14 or 1.6.14 where the patch has been applied.

If immediate upgrading is not possible, consider implementing network-level filtering to block IMAP SEARCH commands containing newline characters or unusual input patterns, although this is less reliable than applying the patch.

Also, review and harden CSRF protections in your webmail environment to prevent unauthorized mail search requests.

Compliance Impact

The vulnerability in Roundcube Webmail allowed IMAP injection and CSRF bypass during mail search, which could potentially lead to unauthorized manipulation of mail search queries and exposure of data.

Such unauthorized access or manipulation of email data could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

By enabling attackers to inject arbitrary IMAP commands or bypass CSRF protections, the vulnerability could facilitate unauthorized data access or actions, thereby increasing the risk of non-compliance with these regulations.

The fix mitigates these risks by sanitizing inputs to prevent injection and CSRF bypass, helping maintain compliance by protecting the integrity and confidentiality of email data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart