Home

Description

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

PUBLISHED Reserved 2026-07-14 | Published 2026-07-14 | Updated 2026-07-14 | Assigner mitre




MEDIUM: 6.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-290 Authentication Bypass by Spoofing

Product status

Default status
unaffected

1.6.0 (semver) before 1.6.17
affected

1.7.0 (semver) before 1.7.2
affected

References

roundcube.net/...026/07/05/security-updates-1.6.17-and-1.7.2

github.com/roundcube/roundcubemail/releases/tag/1.7.2

github.com/...ommit/7414fef51cd2407d39faab99680763f10ed5231d

github.com/...ommit/9a96c20d8c7c9135876b68bebd6960af3ee60923

github.com/roundcube/roundcubemail/releases/tag/1.6.17

github.com/...ommit/83150ce04d689a70f92d511bcae40adba8d55476

github.com/...ommit/5cdc6a48b40beabff7f0bf5d9035f4491e877e4c

cve.org (CVE-2026-62644)

nvd.nist.gov (CVE-2026-62644)

Download JSON