VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-35541

⇱ NVD - CVE-2026-35541

  1. Vulnerabilities

CVE-2026-35541 Detail

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.


Metrics

 
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394 MITRE Patch 
https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4 MITRE Patch 
https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce MITRE Patch 
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14 MITRE Release Notes 
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 MITRE Release Notes 
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5 MITRE Release Notes 
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14 MITRE Vendor Advisory 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') MITRE  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by CISA-ADP 6/17/2026 6:40:44 AM

Action Type Old Value New Value
Added SSVC 
{"timestamp":"2026-04-03T12:52:00.474977Z","id":"CVE-2026-35541","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by MITRE 6/17/2026 6:40:44 AM

Action Type Old Value New Value
Added Affected 
[{"vendor":"Roundcube","product":"Webmail","defaultStatus":"unaffected","versions":[{"version":"0","lessThan":"1.5.14","versionType":"semver","status":"affected"},{"version":"1.6.0","lessThan":"1.6.14","versionType":"semver","status":"affected"}]}]

Initial Analysis by NIST 4/07/2026 4:45:56 PM

Action Type Old Value New Value
Added CPE Configuration 
OR
 *cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* versions up to (excluding) 1.5.14
 *cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* versions from (including) 1.6.0 up to (excluding) 1.6.14
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394 Types: Patch
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4 Types: Patch
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce Types: Patch
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/releases/tag/1.5.14 Types: Release Notes
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/releases/tag/1.6.14 Types: Release Notes
Added Reference Type 
MITRE: https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5 Types: Release Notes
Added Reference Type 
MITRE: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14 Types: Vendor Advisory

New CVE Received from MITRE 4/03/2026 1:16:22 AM

Action Type Old Value New Value
Added Description 
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
Added CVSS V3.1 
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Added CWE 
CWE-843
Added Reference 
https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394
Added Reference 
https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4
Added Reference 
https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce
Added Reference 
https://github.com/roundcube/roundcubemail/releases/tag/1.5.14
Added Reference 
https://github.com/roundcube/roundcubemail/releases/tag/1.6.14
Added Reference 
https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5
Added Reference 
https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14

Quick Info

CVE Dictionary Entry:
CVE-2026-35541
NVD Published Date:
04/03/2026
NVD Last Modified:
06/17/2026
Source:
MITRE