Primary

Context

Roundcube Webmail Password Plugin Type Confusion Vulnerability Allowing Password Change Without Old Password

Vulnerability

Patched

A type confusion vulnerability has been identified in the password plugin of Roundcube Webmail, affecting versions prior to 1.5.14 and 1.6.14. The vulnerability arises from incorrect password comparison, which can lead to a situation where a password is changed without requiring the old password. This issue is caused by loose comparison operations that allow for type juggling, creating a potential security risk.

Impact

Exploitation of this vulnerability allows users to change their password without knowing the previous one, potentially leading to unauthorized access.

Remediation

Users can update to Roundcube Webmail versions 1.5.14, 1.6.14, or 1.7-rc5, all of which include the necessary fix. Instructions for updating are available on the Roundcube website and GitHub release pages.

Added: Apr 3, 2026, 5:25 AM

Updated: Apr 3, 2026, 5:25 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

5.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

6.1

remediation

7.7

relevance

5.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roundcube Webmail Password Plugin Type Confusion Vulnerability Allowing Password Change Without Old Password

Vulnerability

Impact

Remediation

Affected Products

Roundcube Webmail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating