CVE-2021-44026 Overview
CVE-2021-44026 is a SQL Injection vulnerability affecting Roundcube Webmail versions before 1.3.17 and 1.4.x before 1.4.12. The vulnerability exists in the search functionality, specifically through the search or search_params parameters, allowing attackers to inject malicious SQL commands through user-controllable input. This vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability to compromise the underlying database, potentially extracting sensitive email data, user credentials, and configuration information. This vulnerability is actively exploited in the wild.
Affected Products
- Roundcube Webmail versions prior to 1.3.17
- Roundcube Webmail versions 1.4.x prior to 1.4.12
- Fedora 33 and Fedora 34 (via packaged Roundcube)
- Debian Linux 9.0, 10.0, and 11.0 (via packaged Roundcube)
Discovery Timeline
- 2021-11-19 - CVE-2021-44026 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2021-44026
Vulnerability Analysis
This SQL injection vulnerability occurs in Roundcube Webmail's addressbook component, specifically in the contact search functionality. The application fails to properly validate and sanitize user-supplied input through the _search request parameter before using it to access session data. When the search and search_params session items are retrieved based on user input without proper type checking, an attacker can manipulate the flow to inject malicious SQL queries.
The vulnerability affects the addressbook export and function modules (program/steps/addressbook/export.inc and program/steps/addressbook/func.inc), where the application directly uses request parameters to index into session arrays without validating that the retrieved data is of the expected type (array).
Root Cause
The root cause of this vulnerability is insufficient input validation and improper type checking when handling session-stored search parameters. The original code used a type cast (array) on potentially untrusted session data rather than properly validating that the data was already an array. This allowed attackers to control the structure and content of data that would subsequently be used in database queries.
The vulnerable code paths directly accessed $_SESSION['search'][$_REQUEST['_search']] without verifying the integrity and type of the stored data, creating an opportunity for SQL injection through manipulated session content.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests containing specially crafted values in the _search parameter. By manipulating how the application retrieves and processes session-stored search data, the attacker can inject SQL commands that execute against the backend database.
The attack flow involves:
- Sending requests to the addressbook export or search functionality
- Exploiting the insufficient validation of the _search parameter
- Causing the application to process attacker-controlled data as part of SQL queries
- Achieving unauthorized database access, data extraction, or modification
// Security patch in program/steps/addressbook/export.inc
// Source: https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
$records = array();
// Get records from all sources
// Security patch in program/steps/addressbook/func.inc
// Source: https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
{
global $RCMAIL;
- if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
- $search = (array)$_SESSION['search'][$search_request];
+ if (($search_request = $_REQUEST['_search']) && isset($_SESSION['contact_search'][$search_request])
+ && is_array($_SESSION['contact_search'][$search_request])
+ ) {
+ $search = $_SESSION['contact_search'][$search_request];
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$afields = $return ? $RCMAIL->config->get('contactlist_fields') : array('name', 'email');
$records = array();
Detection Methods for CVE-2021-44026
Indicators of Compromise
- Unusual SQL error messages in Roundcube web server logs, particularly related to addressbook queries
- Abnormal request patterns to /addressbook/export or addressbook-related endpoints containing suspicious _search parameter values
- Evidence of data exfiltration or unauthorized database queries in database audit logs
- Unexpected modifications to contact data or database records
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns targeting Roundcube addressbook endpoints
- Implement database query auditing to detect anomalous queries originating from the Roundcube application
- Deploy intrusion detection system (IDS) rules to identify SQL injection payloads in HTTP requests to Roundcube
- Review Roundcube access logs for requests containing encoded SQL commands or union-based injection attempts
Monitoring Recommendations
- Enable verbose logging for the Roundcube application and underlying database
- Configure real-time alerting for database errors or suspicious query patterns
- Monitor for unauthorized access to sensitive database tables containing user credentials and email content
- Implement network traffic analysis to detect data exfiltration attempts
How to Mitigate CVE-2021-44026
Immediate Actions Required
- Upgrade Roundcube Webmail to version 1.3.17 or later (for 1.3.x branch) or version 1.4.12 or later (for 1.4.x branch) immediately
- If immediate patching is not possible, consider temporarily disabling the addressbook export functionality
- Review database audit logs for signs of prior exploitation
- Reset database credentials and rotate any potentially exposed secrets
Patch Information
Roundcube has released security patches addressing this vulnerability. The fixes are available in the following versions:
- Roundcube 1.3.17 - Patched release for the 1.3.x branch
- Roundcube 1.4.12 - Patched release for the 1.4.x branch
The patches rename session items from search and search_params to contact_search and contact_search_params, and add explicit is_array() type checking to prevent type juggling attacks. Security commits are available at GitHub Roundcube Commit c8947ecb and GitHub Roundcube Commit ee809bde.
Distribution-specific patches are available via Debian Security Advisory DSA-5013 and Fedora package updates.
Workarounds
- Implement a Web Application Firewall (WAF) with rules to block SQL injection attempts targeting the _search parameter
- Restrict network access to the Roundcube installation to trusted networks only
- Consider placing the Roundcube database behind a database firewall with query whitelisting
- Monitor and audit all database queries for anomalous patterns until patching can be completed
# Configuration example: Apache mod_security rule to block suspicious search parameters
# Add to your Roundcube virtual host configuration
SecRule ARGS:_search "@detectSQLi" \
"id:1001,\
phase:2,\
deny,\
status:403,\
msg:'Potential SQL Injection in Roundcube search parameter',\
log,\
auditlog"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
