CVE-2026-48847
Description
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pre-authentication arbitrary file deletion in Roundcube Webmail via Redis/Memcache session poisoning.
Vulnerability
Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1, when configured to use Redis or Memcache for session storage, allow pre-authentication arbitrary file deletion. The vulnerability stems from __destruct methods in classes such as rcube_message_part and rcube_message that call @unlink() on temporary files. By poisoning a session stored in Redis or Memcache, an attacker can cause the destructor to delete an arbitrary file on the server. The fix moves file cleanup to controlled shutdown functions using rcmail::add_shutdown_function() [2][3].
Exploitation
An attacker does not need authentication but must be able to inject malformed session data into the Redis or Memcache backend. This could be achieved by exploiting a separate vulnerability (e.g., SSRF) that allows writing to the cache, or by having network access to the cache server. Once the poisoned session is loaded by Roundcube, the destructor of a crafted object will execute unlink() on a specified file path, deleting the file. No user interaction is required beyond the target visiting a page that loads the session.
Impact
Successful exploitation allows arbitrary file deletion on the web server, potentially leading to denial of service or further compromise (e.g., deleting configuration files, application code, or database credentials). The attacker controls the file path, so critical files can be removed. No remote code execution is described, but file deletion alone can be devastating.
Mitigation
Roundcube released versions 1.6.16 and 1.7.1 on 2026-05-25, which fix this vulnerability by removing the __destruct methods and instead scheduling file cleanup via shutdown functions [1][4]. Users should update immediately. If updating is not possible, restrict network access to Redis/Memcache servers to trusted hosts only, and consider using session signing or encryption to prevent injection. No other official workarounds are provided.
- Release Roundcube Webmail 1.7.1 · roundcube/roundcubemail
- Fix pre-auth arbitrary file delete via redis/memcache session poisoni… · roundcube/roundcubemail@a4eb375
- Fix pre-auth arbitrary file delete via redis/memcache session poisoni… · roundcube/roundcubemail@703318e
- Release Roundcube Webmail 1.6.16 · roundcube/roundcubemail
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2a4eb375b98ccFix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
3 files changed · +4 −20
CHANGELOG.md+1 −0 modified@@ -20,6 +20,7 @@ This file includes only changes we consider noteworthy for users, admins and plu - Security: Fix SSRF bypass via specific local address URLs - Security: Fix bypass of remote image blocking via CSS var() - Security: Fix local/private URL fetch bypass when remote resources were not allowed +- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass ## Release 1.7.0
program/include/rcmail_attachment_handler.php+1 −10 modified@@ -115,16 +115,6 @@ public function __construct() $this->mimetype = rcube_mime::fix_mimetype($this->mimetype); } - /** - * Remove temp files, etc. - */ - public function __destruct() - { - if ($this->body_file) { - @unlink($this->body_file); - } - } - /** * Check if the object is a message part not uploaded file * @@ -248,6 +238,7 @@ public function body_to_file($filename) $this->body_file = $filename; fclose($fp); @chmod($filename, 0600); + rcmail::get_instance()->add_shutdown_function(static function () use ($filename) { @unlink($filename); }); return true; }
program/include/rcmail_sendmail.php+2 −10 modified@@ -83,16 +83,6 @@ public function __construct($data = [], $options = []) } } - /** - * Object destructor to cleanup temporary files - */ - public function __destruct() - { - foreach ($this->temp_files as $file) { - @unlink($file); - } - } - /** * Collect input data for message headers * @@ -467,6 +457,7 @@ public function deliver_message($message, $disconnect = true) // @phpstan-ignore-next-line if ($mailbody_file) { $this->temp_files[$message->headers()['Message-ID']] = $mailbody_file; + $this->rcmail->add_shutdown_function(static function () use ($mailbody_file) { @unlink($mailbody_file); }); } // save message sent time @@ -548,6 +539,7 @@ public function save_message($message) if (!is_a($msg, 'PEAR_Error')) { $this->temp_files[$msg_id] = $msg_file; + $this->rcmail->add_shutdown_function(static function () use ($msg_file) { @unlink($msg_file); }); } }
703318e6a595Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass
3 files changed · +4 −20
CHANGELOG.md+1 −0 modified@@ -9,6 +9,7 @@ - Security: Fix SSRF bypass via specific local address URLs - Security: Fix bypass of remote image blocking via CSS var() - Security: Fix local/private URL fetch bypass when remote resources were not allowed +- Security: Fix pre-auth arbitrary file delete via redis/memcache session poisoning bypass ## Release 1.6.15
program/include/rcmail_attachment_handler.php+1 −10 modified@@ -117,16 +117,6 @@ public function __construct() $this->mimetype = rcube_mime::fix_mimetype($this->mimetype); } - /** - * Remove temp files, etc. - */ - public function __destruct() - { - if ($this->body_file) { - @unlink($this->body_file); - } - } - /** * Check if the object is a message part not uploaded file * @@ -260,6 +250,7 @@ public function body_to_file($filename) $this->body_file = $filename; fclose($fp); @chmod($filename, 0600); + rcmail::get_instance()->add_shutdown_function(static function () use ($filename) { @unlink($filename); }); return true; }
program/include/rcmail_sendmail.php+2 −10 modified@@ -76,16 +76,6 @@ public function __construct($data = [], $options = []) } } - /** - * Object destructor to cleanup temporary files - */ - public function __destruct() - { - foreach ($this->temp_files as $file) { - @unlink($file); - } - } - /** * Collect input data for message headers * @@ -461,6 +451,7 @@ public function deliver_message($message, $disconnect = true) if ($mailbody_file) { $this->temp_files[$message->headers()['Message-ID']] = $mailbody_file; + $this->rcmail->add_shutdown_function(static function () use ($mailbody_file) { @unlink($mailbody_file); }); } // save message sent time @@ -545,6 +536,7 @@ public function save_message($message) if (!is_a($msg, 'PEAR_Error')) { $this->temp_files[$msg_id] = $msg_file; + $this->rcmail->add_shutdown_function(static function () use ($msg_file) { @unlink($msg_file); }); } }
Vulnerability mechanics
Root cause
"PHP object deserialization triggers `__destruct()` methods that call `@unlink()` on attacker-controlled file paths, enabling pre-authentication arbitrary file deletion via session poisoning."
Attack vector
An attacker with network access to a Roundcube instance that uses redis or memcache for session storage can poison the session store with a crafted serialized PHP object. When Roundcube deserializes the poisoned session, the malicious object's `__destruct()` method is invoked, which calls `@unlink()` on attacker-controlled file paths stored in the object's `temp_files` or `body_file` properties [patch_id=2473663][patch_id=2473664]. This allows pre-authentication arbitrary file deletion because session deserialization occurs before any authentication check. The attack requires no valid user credentials.
Affected code
The vulnerability resides in `program/include/rcmail_sendmail.php` and `program/include/rcmail_attachment_handler.php`. Both classes used `__destruct()` methods to call `@unlink()` on temporary files stored in `$this->temp_files` and `$this->body_file` respectively [patch_id=2473663][patch_id=2473664]. The destructor-based cleanup allowed an attacker who could poison a redis/memcache session to trigger arbitrary file deletion when the deserialized object was destroyed.
What the fix does
Both patches remove the `__destruct()` methods from `rcmail_sendmail.php` and `rcmail_attachment_handler.php` that directly called `@unlink()` on temporary files [patch_id=2473663][patch_id=2473664]. Instead, the cleanup logic is moved to `add_shutdown_function()` calls that register anonymous functions to delete the specific temporary file at script shutdown. Because shutdown functions are registered during normal request processing rather than during deserialization, a poisoned session object cannot trigger arbitrary file deletion through this code path.
Preconditions
- configRoundcube must use redis or memcache for PHP session storage
- networkAttacker must be able to write a crafted serialized object into the session store (session poisoning)
- authNo authentication required — the attack triggers during session deserialization before login
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/roundcube/roundcubemail/commit/703318e6a59515b73b0d8aa2a91e346b02f56baamitre
- github.com/roundcube/roundcubemail/commit/a4eb375b98cc3d055de665c34efc729dd8ef272amitre
- github.com/roundcube/roundcubemail/releases/tag/1.6.16mitre
- github.com/roundcube/roundcubemail/releases/tag/1.7.1mitre
- roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1mitre
News mentions
0No linked articles in our index yet.