CVE-2026-48844 Roundcube CVE debrief

Who should care

Organizations running Roundcube Webmail with LDAP authentication enabled; system administrators managing email infrastructure; security teams responsible for webmail security posture; organizations with compliance requirements for input validation and code execution controls

Technical summary

The vulnerability exists in Roundcube's LDAP integration where the autovalues configuration option permitted PHP code evaluation to dynamically generate LDAP attribute values. This insecure implementation allowed attackers with low privileges and network access to inject malicious code through manipulated LDAP configurations or inputs. The attack complexity is rated high due to required conditions, but successful exploitation yields complete system compromise (high impact on CIA triad). The fix completely removes code evaluation support rather than attempting to sanitize inputs, eliminating the attack surface entirely.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Roundcube Webmail to version 1.6.16 (for 1.6.x branch) or 1.7.1 (for 1.7.x branch) or later
• If immediate patching is not possible, review and disable LDAP autovalues configuration options that utilize code evaluation
• Audit LDAP configuration files for any autovalues entries containing executable code patterns
• Monitor application logs for suspicious LDAP-related activity or unexpected code execution
• Restrict network access to Roundcube administrative interfaces to trusted sources only

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. Vendor security advisory dated 2026-05-24. Patches released in versions 1.6.16 and 1.7.1. CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-670 (Always-Incorrect Control Flow Implementation).

Official resources