Cyber Resilience

CVE-2026-35537

Low

Published: 03 April 2026

Published
03 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0005 16.2th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35537 is a low-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Roundcube Webmail. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35537 is an unsafe deserialization vulnerability in the redis/memcache session handler of Roundcube Webmail versions prior to 1.5.14 and 1.6.14. This flaw, classified under CWE-502 (Deserialization of Untrusted Data), allows crafted session data to trigger arbitrary file write operations. The vulnerability received a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), reflecting low severity due to high attack complexity and limited integrity impact.

Unauthenticated attackers can exploit this issue over the network by supplying specially crafted session data to the affected session handler. Successful exploitation enables arbitrary file writes on the server, potentially leading to further compromise depending on file locations and permissions, though no confidentiality or availability impacts are directly associated.

Mitigation involves upgrading to Roundcube Webmail 1.5.14 or 1.6.14, as detailed in the project's release notes. Relevant patches are available in specific GitHub commits, including 618c5428edc69fb088e7ac6c89e506dd39df3, 6d586cfa4d8a31f7957f7a445aaedd52592a0e74, and a4ead994d2f0ea92e4a1603196a197e0d5df1620.

EU & UK References

Vulnerability details

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in public-facing Roundcube Webmail enables unauthenticated network exploitation (T1190) via deserialization to achieve arbitrary file writes, which can facilitate deployment of web shells (T1505.003) depending on write locations and permissions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68461Same product: Roundcube Webmail
CVE-2026-35545Same product: Roundcube Webmail
CVE-2023-5631Same product: Roundcube Webmail
CVE-2022-41082Same product class: email / collaboration
CVE-2025-25064Same product class: email / collaboration
CVE-2025-68645Same product class: email / collaboration
CVE-2026-25031Shared CWE-502
CVE-2025-31103Shared CWE-502
CVE-2025-55010Shared CWE-502
CVE-2026-27369Shared CWE-502

Affected Assets

roundcube
webmail
≤ 1.5.14 · 1.6.0 — 1.6.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 flaw remediation requires timely patching of known vulnerabilities like this unsafe deserialization in Roundcube's session handler, directly preventing exploitation.

prevent

SI-10 information input validation ensures session data from redis/memcache is checked for validity before deserialization, blocking crafted malicious payloads.

detect

SI-7 software and information integrity monitoring detects unauthorized file writes resulting from successful deserialization exploitation.

References