PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48847 Roundcube CVE debrief

A session poisoning vulnerability in Roundcube Webmail allows pre-authentication arbitrary file deletion when Redis or Memcache is configured as the session backend. The flaw exists in versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. An attacker can manipulate session data stored in Redis/Memcache to inject malicious file paths that get processed during session operations, leading to unauthorized file deletion on the server filesystem. The attack requires network access but no authentication, though the attack complexity is high due to the need to poison the external session store. The CVSS 3.1 score of 3.7 (LOW) reflects limited availability impact with no confidentiality or integrity impact to application data, though arbitrary file deletion poses operational risk. The vendor released security updates on May 24, 2026, with patches addressing the session handling logic.

Vendor
Roundcube
Product
Webmail
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations running Roundcube Webmail with Redis or Memcache session backends, particularly those with versions prior to 1.6.16 or 1.7.1. System administrators responsible for webmail infrastructure security and those managing shared hosting environments where file deletion could impact multiple tenants.

Technical summary

The vulnerability stems from insufficient validation of session data when using Redis or Memcache as external session storage backends. An attacker with network access to the session store can inject crafted session values that, when processed by Roundcube's session handler, result in arbitrary file path evaluation and deletion. The attack vector is network-based with high complexity due to session store access requirements. The CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L indicates network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and low availability impact. CWE-669 (Incorrect Resource Transfer Between Spheres) is the identified weakness classification.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Roundcube Webmail to version 1.6.16 (for 1.6.x branch) or 1.7.1 (for 1.7.x branch)
  • If using Redis or Memcache for session storage, verify session data integrity controls are in place
  • Review filesystem permissions to limit impact of potential file deletion operations
  • Monitor for unusual session activity or file system modifications on Roundcube servers
  • Apply principle of least privilege to web server process filesystem access

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. Vendor security advisory dated 2026-05-24. Patches committed to GitHub repository. NVD status: Deferred.

Official resources

2026-05-25