VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

CVE-2026-48844

CVE-2026-48844

Description

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roundcube Webmail LDAP autovalues code evaluation is removed to fix a code injection vulnerability in 1.6.x before 1.6.16 and 1.7.x before 1.7.1.

Vulnerability

Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 contain insecure code evaluation logic in the LDAP autovalues option. The vulnerable code allowed PHP code embedded in the autovalues configuration to be executed via eval(), leading to code injection [1][2][3][4]. The affected configuration is used when mapping LDAP attributes to local fields, and the vulnerability is triggered when autovalues templates contain parentheses, triggering an eval() branch [4].

Exploitation

An attacker would need to be able to influence the LDAP autovalues configuration or the LDAP data returned to Roundcube. The vulnerable code path is reached when the autovalues template contains a parenthesis (, which causes the code to evaluate the expression using eval() after replacing {attr} placeholders with escaped attribute values [4]. An attacker with control over LDAP directory contents or the Roundcube configuration could inject PHP code through crafted attribute values or template strings.

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the Roundcube server, leading to full compromise of the webmail application and potentially the underlying system. This could result in information disclosure, data manipulation, or further lateral movement within the network.

Mitigation

Roundcube has removed support for code evaluation in the LDAP autovalues option. The fix is included in versions 1.6.16 (LTS) and 1.7.1, both released on 24 May 2026 [1][2][3]. All productive installations running Roundcube 1.6.x or 1.7.x should be updated immediately. No workaround is available if the update cannot be applied.

References
  1. Release Roundcube Webmail 1.7.1 · roundcube/roundcubemail
  2. Release Roundcube Webmail 1.6.16 · roundcube/roundcubemail
  3. Security updates 1.6.16 and 1.7.1 released
  4. Fix code injection vulnerability - remove support for code evaluation… · roundcube/roundcubemail@ea1798a

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roundcube/Webmailinferred2 versions
    >=1.6,<1.6.16 || >=1.7,<1.7.1+ 1 more
    • (no CPE)range: >=1.6,<1.6.16 || >=1.7,<1.7.1
    • (no CPE)range: >=1.6.0, <1.6.16 || >=1.7.0, <1.7.1

Patches

2
ea1798a6fbf0

Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref
commit
3 files changed · +8 28
  • CHANGELOG.md+1 0 modified
    @@ -10,6 +10,7 @@
 - Security: Fix bypass of remote image blocking via CSS var()
 - Security: Fix local/private URL fetch bypass when remote resources were not allowed
 - Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
+- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option 
 
 ## Release 1.6.15
  • config/defaults.inc.php+1 2 modified
    @@ -1150,8 +1150,7 @@
   'sub_fields' => [],
   // Generate values for the following LDAP attributes automatically when creating a new record
   'autovalues' => [
-    // 'uid'  => 'md5(microtime())',               // You may specify PHP code snippets which are then eval'ed
-    // 'mail' => '{givenname}.{sn}@mydomain.com',  // or composite strings with placeholders for existing attributes
+    // 'mail' => '{givenname}.{sn}@mydomain.com',  // composite strings with placeholders for existing attributes
   ],
   'sort'           => 'cn',         // The field to sort the listing by.
   'scope'          => 'sub',        // search mode: sub|base|list
  • program/lib/Roundcube/rcube_ldap.php+6 26 modified
    @@ -1581,34 +1581,14 @@ protected function add_autovalues(&$attrs)
 
         foreach ($this->prop['autovalues'] as $lf => $templ) {
             if (empty($attrs[$lf])) {
-                if (strpos($templ, '(') !== false) {
-                    // replace {attr} placeholders with (escaped!) attribute values to be safely eval'd
-                    $code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals)));
-                    $res  = false;
-
-                    try {
-                        $res = eval("return ($code);");
-                    }
-                    catch (ParseError $e) {
-                        // ignore
-                    }
-
-                    if ($res === false) {
-                        rcube::raise_error([
-                                'code' => 505, 'file' => __FILE__, 'line' => __LINE__,
-                                'message' => "Expression parse error on: ($code)"
-                            ], true, false);
-                        continue;
-                    }
-
-                    $attrs[$lf] = $res;
-                }
-                else {
-                    // replace {attr} placeholders with concrete attribute values
-                    $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
-                }
+                // replace {attr} placeholders with concrete attribute values
+                $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
             }
         }
+
+        $rcube = rcube::get_instance();
+        $plugin = $rcube->plugins->exec_hook('ldap_autovalues', ['attrs' => $attrs]);
+        $attrs = $plugin['attrs'];
     }
 
     /**
6a777d7394b7

Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref
commit
3 files changed · +8 26
  • CHANGELOG.md+1 0 modified
    @@ -21,6 +21,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix bypass of remote image blocking via CSS var()
 - Security: Fix local/private URL fetch bypass when remote resources were not allowed
 - Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
+- Security: Fix code injection vulnerability - remove support for code evaluation in LDAP `autovalues` option 
 
 ## Release 1.7.0
  • config/defaults.inc.php+1 2 modified
    @@ -1212,8 +1212,7 @@
   'sub_fields' => [],
   // Generate values for the following LDAP attributes automatically when creating a new record
   'autovalues' => [
-    // 'uid'  => 'md5(microtime())',               // You may specify PHP code snippets which are then eval'ed
-    // 'mail' => '{givenname}.{sn}@mydomain.com',  // or composite strings with placeholders for existing attributes
+    // 'mail' => '{givenname}.{sn}@mydomain.com',  // composite strings with placeholders for existing attributes
   ],
   'sort'           => 'cn',         // The field to sort the listing by.
   'scope'          => 'sub',        // search mode: sub|base|list
  • program/lib/Roundcube/rcube_ldap.php+6 24 modified
    @@ -1581,32 +1581,14 @@ protected function add_autovalues(&$attrs)
 
         foreach ($this->prop['autovalues'] as $lf => $templ) {
             if (empty($attrs[$lf])) {
-                if (str_contains($templ, '(')) {
-                    // replace {attr} placeholders with (escaped!) attribute values to be safely eval'd
-                    $code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals)));
-                    $res = false;
-
-                    try {
-                        $res = eval("return ({$code});");
-                    } catch (\ParseError $e) {
-                        // ignore
-                    }
-
-                    if ($res === false) {
-                        rcube::raise_error([
-                            'code' => 505,
-                            'message' => "Expression parse error on: ({$code})",
-                        ], true, false);
-                        continue;
-                    }
-
-                    $attrs[$lf] = $res;
-                } else {
-                    // replace {attr} placeholders with concrete attribute values
-                    $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
-                }
+                // replace {attr} placeholders with concrete attribute values
+                $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
             }
         }
+
+        $rcube = rcube::get_instance();
+        $plugin = $rcube->plugins->exec_hook('ldap_autovalues', ['attrs' => $attrs]);
+        $attrs = $plugin['attrs'];
     }
 
     /**

Vulnerability mechanics

Root cause

"Unsanitized user-controlled configuration values are passed to PHP's eval() function in the LDAP autovalues processing logic."

Attack vector

An attacker who can influence the `autovalues` configuration for an LDAP address book can inject arbitrary PHP code. The `add_autovalues()` method checked whether the template string contained a `(` character; if so, it stripped `{attr}` placeholders and passed the remainder to `eval()` [patch_id=2473669][patch_id=2473670]. Because the configuration is typically set by an administrator, the attack surface is limited to scenarios where an attacker can modify the LDAP directory configuration (e.g., through a separate privilege-escalation or cross-site request forgery vector). The advisory does not specify a particular network path or payload shape beyond the code-evaluation mechanism itself.

Affected code

The vulnerability resides in the `add_autovalues()` method of `program/lib/Roundcube/rcube_ldap.php` [patch_id=2473669][patch_id=2473670]. The `autovalues` configuration option in `config/defaults.inc.php` previously allowed PHP code snippets (e.g., `'uid' => 'md5(microtime())'`) which were passed directly to `eval()` [patch_id=2473669][patch_id=2473670].

What the fix does

Both patches [patch_id=2473669][patch_id=2473670] remove the entire code-evaluation branch that called `eval()` on the template string. The `add_autovalues()` method now only performs safe string interpolation by replacing `{attr}` placeholders with concrete attribute values via `strtr()` and `preg_replace()`. The patches also add a hook (`ldap_autovalues`) so that plugins can implement custom value generation instead of relying on `eval()`. The example in `config/defaults.inc.php` was updated to remove the PHP code snippet comment, and the CHANGELOG entries document the security fix.

Preconditions

  • configThe attacker must be able to modify the LDAP address book configuration (specifically the 'autovalues' option) in Roundcube.
  • inputThe 'autovalues' option must contain a string with a '(' character to trigger the eval() code path.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.