Cyber Resilience

CVE-2021-44026

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 19 November 2021

Published
19 November 2021
Modified
04 November 2025
KEV Added
22 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7253 98.8th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-44026 is a critical-severity SQL Injection (CWE-89) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Roundcube webmail versions before 1.3.17 and 1.4.x before 1.4.12 are affected by a potential SQL injection vulnerability (CWE-89) in the handling of search or search_params inputs. The issue carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply crafted search parameters to inject arbitrary SQL statements, resulting in full read, write, or delete access to the underlying database and potential compromise of stored email data or user credentials.

Public references, including Debian LTS announcements, Fedora package updates, and upstream Roundcube commits, direct administrators to apply the available patches that correct input sanitization in the affected search code paths. No details on observed in-the-wild exploitation are provided in the source material.

EU & UK References

Vulnerability details

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

CWE(s)
KEV Date Added
22 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roundcube
webmail
≤ 1.3.17 · 1.4.0 — 1.4.12
fedoraproject
fedora
33, 34
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted search/search_params inputs that are the root cause of the SQL injection in Roundcube.

prevent

Mandates timely application of the vendor patches that correct the missing input sanitization in the affected search code paths.

prevent

Limits the database privileges granted to the Roundcube application account so that a successful SQL injection yields minimal read/write impact on email data.

References