VYPR
Get started
← All advisories
Low severity3.1NVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-35538

CVE-2026-35538

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
roundcube/roundcubemailPackagist
>= 1.7-beta, < 1.7-rc51.7-rc5

Affected products

1

Patches

3
7daf5aa9c190

Fix IMAP Injection + CSRF bypass in mail search

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa
commit
3 files changed · +8 0
  • CHANGELOG.md+1 0 modified
    @@ -4,6 +4,7 @@
 
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
 - Security: Fix bug where a password could get changed without providing the old password
+- Security: Fix IMAP Injection + CSRF bypass in mail search
 
 ## Release 1.5.13
  • program/actions/mail/search.php+4 0 modified
    @@ -71,6 +71,10 @@ public function run($args = [])
         $sort_column = self::sort_column();
         $sort_order  = self::sort_order();
 
+        // We pass the filter as-is into IMAP SEARCH command. A newline could be used
+        // to inject extra commands, so we remove these.
+        $search_str = preg_replace('/[\r\n]+/', ' ', $search_str);
+
         // set message set for already stored (but incomplete) search request
         if (!empty($continue) && isset($_SESSION['search']) && $_SESSION['search_request'] == $continue) {
             $rcmail->storage->set_search_set($_SESSION['search']);
  • program/actions/mail/send.php+3 0 modified
    @@ -280,6 +280,9 @@ public function run($args = [])
         }
 
         if ($savedraft) {
+            // Sanitize the IMAP SEARCH input
+            $message_id = preg_replace('/[\r\n]+/', '', $message_id);
+
             // remember new draft-uid ($saved could be an UID or true/false here)
             if ($saved && is_bool($saved)) {
                 $index = $rcmail->storage->search_once($drafts_mbox, 'HEADER Message-ID ' . $message_id);
b18a8fa8e815

Fix IMAP Injection + CSRF bypass in mail search

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa
commit
3 files changed · +8 0
  • CHANGELOG.md+1 0 modified
    @@ -5,6 +5,7 @@
 - Fix Postgres connection using IPv6 address (#10104)
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
 - Security: Fix bug where a password could get changed without providing the old password
+- Security: Fix IMAP Injection + CSRF bypass in mail search
 
 ## Release 1.6.13
  • program/actions/mail/search.php+4 0 modified
    @@ -71,6 +71,10 @@ public function run($args = [])
         $sort_column = self::sort_column();
         $sort_order  = self::sort_order();
 
+        // We pass the filter as-is into IMAP SEARCH command. A newline could be used
+        // to inject extra commands, so we remove these.
+        $search_str = preg_replace('/[\r\n]+/', ' ', $search_str);
+
         // set message set for already stored (but incomplete) search request
         if (!empty($continue) && isset($_SESSION['search']) && $_SESSION['search_request'] == $continue) {
             $rcmail->storage->set_search_set($_SESSION['search']);
  • program/actions/mail/send.php+3 0 modified
    @@ -281,6 +281,9 @@ public function run($args = [])
         }
 
         if ($savedraft) {
+            // Sanitize the IMAP SEARCH input
+            $message_id = preg_replace('/[\r\n]+/', '', $message_id);
+
             // remember new draft-uid ($saved could be an UID or true/false here)
             if ($saved && is_bool($saved)) {
                 $index = $rcmail->storage->search_once($drafts_mbox, 'HEADER Message-ID ' . $message_id);
5fe8a69956a9

Fix IMAP Injection + CSRF bypass in mail search

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa
commit
3 files changed · +8 0
  • CHANGELOG.md+1 0 modified
    @@ -11,6 +11,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Fix bug where `rel=stylesheet` part of a `<link>` could get removed
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
 - Security: Fix bug where a password could get changed without providing the old password
+- Security: Fix IMAP Injection + CSRF bypass in mail search
 
 ## 1.7-rc4
  • program/actions/mail/search.php+4 0 modified
    @@ -217,6 +217,10 @@ public static function search_input($str, $headers = '', $filter = 'ALL', $inter
         // Add list filter string
         $result = $filter && $filter != 'ALL' ? $filter : '';
 
+        // We pass the filter as-is into IMAP SEARCH command. A newline could be used
+        // to inject extra commands, so we remove these. Keep the filter simple, please.
+        $result = preg_replace('/[\r\n]+/', ' ', $result);
+
         // Add the interval filter string
         if ($search_interval = self::search_interval_criteria($interval)) {
             $result .= ' ' . $search_interval;
  • program/actions/mail/send.php+3 0 modified
    @@ -246,6 +246,9 @@ public function run($args = [])
         }
 
         if ($savedraft) {
+            // Sanitize the IMAP SEARCH input
+            $message_id = preg_replace('/[\r\n]+/', '', $message_id);
+
             // remember new draft-uid ($saved could be an UID or true/false here)
             if ($saved && is_bool($saved)) {
                 $index = $rcmail->storage->search_once($drafts_mbox, 'HEADER Message-ID ' . $message_id);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.