Low severity3.7NVD Advisory· Published Apr 3, 2026· Updated Apr 13, 2026

CVE-2026-35537

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
roundcube/roundcubemailPackagist	>= 1.7-beta, < 1.7-rc5	1.7-rc5

Affected products

Roundcube/Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Range: <1.5.14

Patches

618c5428edc6

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +14 −1

CHANGELOG.md+4 −0 modified

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
+
+## Release 1.5.13
+
 - Fix remote image blocking bypass via SVG content reported by nullcathedral
 - Fix CSS injection vulnerability reported by CERT Polska

program/include/iniset.php+10 −1 modified

@@ -1,6 +1,8 @@
 <?php
 
-/**
+use GuzzleHttp\Cookie\FileCookieJar;
+
+/*
  +-----------------------------------------------------------------------+
  | This file is part of the Roundcube Webmail client                     |
  |                                                                       |
@@ -76,6 +78,13 @@
 // register autoloader for rcmail app classes
 spl_autoload_register('rcmail_autoload');
 
+// disable use of dangerous dependencies
+spl_autoload_register(static function ($classname) {
+    if ($classname === FileCookieJar::class) {
+        throw new \Exception("{$classname} is forbidden for security reasons.");
+    }
+}, true, true);
+
 /**
  * PHP5 autoloader routine for dynamic class loading
  */

a4ead994d2f0

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +13 −1

CHANGELOG.md+3 −0 modified

@@ -1,6 +1,9 @@
 # Changelog Roundcube Webmail
 
+## Unreleased
+
 - Fix Postgres connection using IPv6 address (#10104)
+- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
 
 ## Release 1.6.13

program/include/iniset.php+10 −1 modified

@@ -1,6 +1,8 @@
 <?php
 
-/**
+use GuzzleHttp\Cookie\FileCookieJar;
+
+/*
  +-----------------------------------------------------------------------+
  | This file is part of the Roundcube Webmail client                     |
  |                                                                       |
@@ -80,6 +82,13 @@
 // register autoloader for rcmail app classes
 spl_autoload_register('rcmail_autoload');
 
+// disable use of dangerous dependencies
+spl_autoload_register(static function ($classname) {
+    if ($classname === FileCookieJar::class) {
+        throw new \Exception("{$classname} is forbidden for security reasons.");
+    }
+}, true, true);
+
 /**
  * PHP5 autoloader routine for dynamic class loading
  */

6d586cfa4d8a

Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +10 −0

CHANGELOG.md+1 −0 modified

@@ -9,6 +9,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Fix PHP fatal error when using IMAP cache (#10102)
 - Fix Postgres connection using IPv6 address (#10104)
 - Fix bug where `rel=stylesheet` part of a `<link>` could get removed
+- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
 
 ## 1.7-rc4

program/include/iniset.php+9 −0 modified

@@ -1,5 +1,7 @@
 <?php
 
+use GuzzleHttp\Cookie\FileCookieJar;
+
 /*
  +-----------------------------------------------------------------------+
  | This file is part of the Roundcube Webmail client                     |
@@ -81,6 +83,13 @@
 // register autoloader for rcmail app classes
 spl_autoload_register('rcmail_autoload');
 
+// disable use of dangerous dependencies
+spl_autoload_register(static function ($classname) {
+    if ($classname === FileCookieJar::class) {
+        throw new \Exception("{$classname} is forbidden for security reasons.");
+    }
+}, true, true);
+
 /**
  * PHP5 autoloader routine for dynamic class loading
  */

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/roundcube/roundcubemail/commit/618c5428edc69fb088e7ac6c89e506dd39df3nvdPatchWEB
github.com/roundcube/roundcubemail/commit/6d586cfa4d8a31f7957f7a445aaedd52592a0e74nvdPatchWEB
github.com/roundcube/roundcubemail/commit/a4ead994d2f0ea92e4a1603196a197e0d5df1620nvdPatchWEB
github.com/advisories/GHSA-rxj3-rrwm-pj4rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35537ghsaADVISORY
roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14nvdThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2026/04/11/6nvdIssue TrackingMailing ListWEB
github.com/roundcube/roundcubemail/releases/tag/1.5.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.6.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.7-rc5nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.240
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000