Main Vulnerability Database Vulnerabilities #VU124137

#VU124137 Missing authentication for critical function in Roundcube Webmail

Published: March 19, 2026 / Updated: March 19, 2026

Vulnerability identifier: #VU124137

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Roundcube Webmail

Software vendor:
Roundcube

Description

The vulnerability allows a remote user to escalate privileges by changing another user's password without providing the old password.

The vulnerability exists due to improper authentication in password change functionality when handling password update requests. A remote user can submit a specially crafted request to change a password without providing the old password, leading to unauthorized account modification.

Authentication is required to access the password change interface, but no old password verification is performed.

Remediation

Install security update from vendor's website.

External links

https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14

#VU124137 Missing authentication for critical function in Roundcube Webmail

Description

Remediation

External links

Please verify you're human