Primary

Context

Roundcube Webmail Arbitrary File Deletion Vulnerability via Session Poisoning Bypass

Vulnerability

Patched

A vulnerability allowing pre-authentication arbitrary file deletion has been identified in Roundcube Webmail versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. This issue arises from a session poisoning bypass that exploits Redis or Memcache sessions.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files on the server where Roundcube is hosted.

Remediation

Users are advised to update to Roundcube Webmail versions 1.6.16 or 1.7.1. Instructions for downloading these versions are available on the Roundcube GitHub releases page.

Added: May 26, 2026, 6:41 PM

Updated: May 26, 2026, 6:41 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.2

exploitability

7.8

remediation

7.7

relevance

9.4

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.2

exploitability

7.8

remediation

7.7

relevance

9.4

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roundcube Webmail Arbitrary File Deletion Vulnerability via Session Poisoning Bypass

Vulnerability

Impact

Remediation

Affected Products

Roundcube

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating