CVE-2026-62644

Source
https://cve.org/CVERecord?id=CVE-2026-62644
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62644.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-62644
Downstream
Published
2026-07-14T15:55:22.925Z
Modified
2026-07-16T03:48:48.038995429Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In Roundcube Webmail before 1.6.17 and 1.7.x before 1.7.2, the password plugin of the Roundcube Webmail was subject to username spoofing via session data, which could lead to account takeover.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/62xxx/CVE-2026-62644.json",
    "cwe_ids": [
        "CWE-290"
    ],
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/roundcube/roundcubemail

Affected ranges

Type
GIT
Repo
https://github.com/roundcube/roundcubemail
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.6.0"
        },
        {
            "fixed": "1.6.17"
        },
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.6.0
1.6.1
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.7.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-62644.json"