Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.2
Incorrect password comparison in Roundcube Webmail leads to password change
CVE-2026-35541
Summary
A security issue in Roundcube Webmail allows an attacker to change a user's password without knowing the current one. This could be exploited by someone who has access to the user's account. To fix this, update to Roundcube Webmail version 1.5.14 or 1.6.14 or later.
Original title
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowin...
Original description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
nvd CVSS3.1
4.2
Vulnerability type
CWE-843
Type Confusion
- https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec...
- https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830...
- https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a...
- https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
- https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026