Missing authentication for critical function in Roundcube Webmail - #VU124137
Published: March 19, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124137
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roundcube
Affected software:
Roundcube Webmail
Roundcube Webmail
Detailed vulnerability description
The vulnerability allows a remote user to escalate privileges by changing another user's password without providing the old password.
The vulnerability exists due to improper authentication in password change functionality when handling password update requests. A remote user can submit a specially crafted request to change a password without providing the old password, leading to unauthorized account modification.
Authentication is required to access the password change interface, but no old password verification is performed.
Remediation
Install security update from vendor's website.