CVE-2026-35541
Type Confusion in Roundcube Password Plugin Allows Unauthorized Changes
Publication date: 2026-04-03
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.14 (exc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability CVE-2026-35541 arises from a type juggling issue in the Roundcube Webmail password plugin due to loose comparison operators in the password verification logic.
To detect if your system is vulnerable, you should check the version of Roundcube Webmail installed and verify if it is before versions 1.5.14 or 1.6.14, as these versions contain the fix.
You can detect the presence of the vulnerable code by inspecting the password plugin file for the use of loose comparison operators (== and !=) in the password verification logic.
- Check the Roundcube version installed: `roundcube --version` or check the version in the webmail interface.
- Search for the vulnerable code pattern in the password plugin file (usually `plugins/password/password.php`):
- Use grep or similar command to find loose comparisons: `grep -E '==|!=' plugins/password/password.php`
- If you find lines like `$curpwd != $newpwd` or `$curpwd == $newpwd`, the system is likely vulnerable.
No specific network detection commands are provided in the resources, but verifying the code and version as above is the recommended approach.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-35541 in Roundcube Webmail is caused by the use of loose comparison operators (== and !=) in the password plugin's verification logic. This leads to a type juggling issue where an attacker can bypass the check for the old password when attempting to change a password.
Specifically, the plugin's `_compare` function compared the current password and the provided old password using loose comparisons, which can be tricked due to PHP's type juggling behavior. This flaw allows an attacker to change a user's password without knowing the old password.
The vulnerability was fixed by replacing the loose comparison operators with strict comparison operators (=== and !==), ensuring that both the value and type must match during password verification.
How can this vulnerability impact me? :
This vulnerability allows an attacker to change a user's password without knowing the original password. As a result, unauthorized individuals could gain access to user accounts by bypassing the password verification step.
Such unauthorized access could lead to account takeover, loss of sensitive information, and potential misuse of the compromised account.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-35541 vulnerability in Roundcube Webmail, you should update Roundcube to version 1.5.14, 1.6.14, or later where the issue is fixed.
The vulnerability arises from loose comparison operators in the password plugin that allow password changes without knowing the old password.
The fix involves replacing loose comparison operators (== and !=) with strict comparison operators (=== and !==) in the password verification logic, specifically in the `_compare` function within the `plugins/password/password.php` file.
- Apply the security patch or update that changes `$curpwd != $newpwd` to `$curpwd !== $newpwd` and `$curpwd == $newpwd` to `$curpwd === $newpwd`.
- Verify that your Roundcube installation is running a version that includes this fix (1.5.14, 1.6.14 or later).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to change a user's password without knowing the old password due to a type juggling flaw in the password plugin. This unauthorized password change capability can lead to unauthorized access to user accounts.
Such unauthorized access risks compromising the confidentiality and integrity of user data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user credentials and preventing unauthorized access.
By enabling password changes without proper authentication, the vulnerability undermines security controls that are essential for meeting these regulatory requirements.