CVE-2026-35541 — Roundcube Webmail: Incorrect password comparison in the password plugin

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

How to fix CVE-2026-35541

To remediate CVE-2026-35541, upgrade the affected package to a fixed version below.

—upgrade to 1.4.15+dfsg.1-1+deb11u8 or later
—upgrade to 1.7-rc5 or later

Is CVE-2026-35541 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.15+dfsg.1-1+deb11u8
>= 1.7-beta, < 1.7-rc5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-35541
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-35541
PATCHgithub.com/roundcube/roundcubemail
WEBgithub.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394