CVE-2026-35537

Low

Published: 03 April 2026

Published

03 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score 0.0003 8.1th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35537 is a low-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Roundcube Webmail. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 flaw remediation requires timely patching of known vulnerabilities like this unsafe deserialization in Roundcube's session handler, directly preventing exploitation.

SI-10 Information Input Validation good match

prevent

SI-10 information input validation ensures session data from redis/memcache is checked for validity before deserialization, blocking crafted malicious payloads.

SI-7 Software, Firmware, and Information Integrity partial match

detect

SI-7 software and information integrity monitoring detects unauthorized file writes resulting from successful deserialization exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Roundcube Webmail enables unauthenticated network exploitation (T1190) via deserialization to achieve arbitrary file writes, which can facilitate deployment of web shells (T1505.003) depending on write locations and permissions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data.

Deeper analysisAI

CVE-2026-35537 is an unsafe deserialization vulnerability in the redis/memcache session handler of Roundcube Webmail versions prior to 1.5.14 and 1.6.14. This flaw, classified under CWE-502 (Deserialization of Untrusted Data), allows crafted session data to trigger arbitrary file write operations. The vulnerability received a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), reflecting low severity due to high attack complexity and limited integrity impact.

Unauthenticated attackers can exploit this issue over the network by supplying specially crafted session data to the affected session handler. Successful exploitation enables arbitrary file writes on the server, potentially leading to further compromise depending on file locations and permissions, though no confidentiality or availability impacts are directly associated.

Mitigation involves upgrading to Roundcube Webmail 1.5.14 or 1.6.14, as detailed in the project's release notes. Relevant patches are available in specific GitHub commits, including 618c5428edc69fb088e7ac6c89e506dd39df3, 6d586cfa4d8a31f7957f7a445aaedd52592a0e74, and a4ead994d2f0ea92e4a1603196a197e0d5df1620.