{"id":"CVE-2026-35541","details":"An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.","aliases":["GHSA-46pv-mj2g-93gh"],"modified":"2026-07-15T01:49:17.905600959Z","published":"2026-04-03T03:50:47.422Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35541.json","cna_assigner":"mitre","cwe_ids":["CWE-843"]},"references":[{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.5.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.6.14"},{"type":"WEB","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.7-rc5"},{"type":"WEB","url":"https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35541.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35541"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/2e6a99b2a38110907ea8d3be8e59ec3d5802c394"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/6a275676a8043083c05c961914d830b79e2490d4"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/6fa2bddc59b9c9fd31cad4a9e2954a208d793dce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"d742954ccbcdee7020f8f2e7c49ce0fca5a0efab"},{"introduced":"993b888afe29c383bf45c84f17090f4db96367ba"},{"fixed":"27ec6cc9cb25e1ef8b4d4ef39ce76d619caa6870"},{"fixed":"2e6a99b2a38110907ea8d3be8e59ec3d5802c394"},{"fixed":"6a275676a8043083c05c961914d830b79e2490d4"},{"fixed":"6fa2bddc59b9c9fd31cad4a9e2954a208d793dce"},{"fixed":"8e4a99b0746577c2928f5ae984b3ab533b970ca0"}],"database_specific":{"cpe":"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.5.14"},{"introduced":"1.6.0"},{"fixed":"1.6.14"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["1.7-rc4","1.5.13","1.6.13","1.7-rc3","1.7-rc2","1.5.12","1.6.12","1.7-rc","1.5.11","1.7-beta2","1.7-beta","1.5.10","1.6.11","1.6.10","1.5.9","1.6.9","1.5.8","1.6.8","1.5.7","1.6.7","1.6.6","1.5.6","1.6.5","1.5.5","1.6.4","1.6.3","1.5.4","1.6.2","1.6.1","1.5.3","1.6.0","1.6-beta","1.5.2","1.5.1","1.5.0","1.5-rc","1.5-beta","1.4-rc2","1.4-rc1","1.4-beta","1.3-beta","1.2-rc","1.2-beta","1.1.0","1.1-rc","1.1-beta","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35541.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}