Medium severity4.2NVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-35541

Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
roundcube/roundcubemailPackagist	>= 1.7-beta, < 1.7-rc5	1.7-rc5

Affected products

Roundcube/Webmail
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Range: <1.5.14

Patches

2e6a99b2a381

Fix bug where a password could get changed without providing the old password

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +3 −2

CHANGELOG.md+1 −0 modified

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
+- Security: Fix bug where a password could get changed without providing the old password
 
 ## Release 1.5.13

plugins/password/password.php+2 −2 modified

@@ -333,10 +333,10 @@ private function _compare($curpwd, $newpwd, $type)
         else {
             switch ($type) {
             case PASSWORD_COMPARE_CURRENT:
-                $result = $curpwd != $newpwd ? $this->gettext('passwordincorrect') : null;
+                $result = $curpwd !== $newpwd ? $this->gettext('passwordincorrect') : null;
                 break;
             case PASSWORD_COMPARE_NEW:
-                $result = $curpwd == $newpwd ? $this->gettext('samepasswd') : null;
+                $result = $curpwd === $newpwd ? $this->gettext('samepasswd') : null;
                 break;
             default:
                 $result = $this->gettext('internalerror');

6fa2bddc59b9

Fix bug where a password could get changed without providing the old password

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +3 −2

CHANGELOG.md+1 −0 modified

@@ -4,6 +4,7 @@
 
 - Fix Postgres connection using IPv6 address (#10104)
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
+- Security: Fix bug where a password could get changed without providing the old password
 
 ## Release 1.6.13

plugins/password/password.php+2 −2 modified

@@ -333,10 +333,10 @@ private function _compare($curpwd, $newpwd, $type)
         else {
             switch ($type) {
             case PASSWORD_COMPARE_CURRENT:
-                $result = $curpwd != $newpwd ? $this->gettext('passwordincorrect') : null;
+                $result = $curpwd !== $newpwd ? $this->gettext('passwordincorrect') : null;
                 break;
             case PASSWORD_COMPARE_NEW:
-                $result = $curpwd == $newpwd ? $this->gettext('samepasswd') : null;
+                $result = $curpwd === $newpwd ? $this->gettext('samepasswd') : null;
                 break;
             default:
                 $result = $this->gettext('internalerror');

6a275676a804

Fix bug where a password could get changed without providing the old password

https://github.com/roundcube/roundcubemailAleksander MachniakMar 17, 2026via ghsa

commit

2 files changed · +3 −2

CHANGELOG.md+1 −0 modified

@@ -10,6 +10,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Fix Postgres connection using IPv6 address (#10104)
 - Fix bug where `rel=stylesheet` part of a `<link>` could get removed
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
+- Security: Fix bug where a password could get changed without providing the old password
 
 ## 1.7-rc4

plugins/password/password.php+2 −2 modified

@@ -326,10 +326,10 @@ private function _compare($curpwd, $newpwd, $type)
         } else {
             switch ($type) {
                 case PASSWORD_COMPARE_CURRENT:
-                    $result = $curpwd != $newpwd ? $this->gettext('passwordincorrect') : null;
+                    $result = $curpwd !== $newpwd ? $this->gettext('passwordincorrect') : null;
                     break;
                 case PASSWORD_COMPARE_NEW:
-                    $result = $curpwd == $newpwd ? $this->gettext('samepasswd') : null;
+                    $result = $curpwd === $newpwd ? $this->gettext('samepasswd') : null;
                     break;
                 default:
                     $result = $this->gettext('internalerror');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394nvdPatchWEB
github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4nvdPatchWEB
github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dcenvdPatchWEB
github.com/advisories/GHSA-46pv-mj2g-93ghghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35541ghsaADVISORY
roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14nvdVendor AdvisoryWEB
github.com/roundcube/roundcubemail/releases/tag/1.5.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.6.14nvdRelease NotesWEB
github.com/roundcube/roundcubemail/releases/tag/1.7-rc5nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.273
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000