CVE-2026-48847 Overview
CVE-2026-48847 is a pre-authentication arbitrary file deletion vulnerability affecting Roundcube Webmail. The flaw resides in Roundcube versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1. Attackers can bypass session storage protections in Redis or Memcache backends through session poisoning, enabling deletion of arbitrary files accessible to the webmail process before authentication. The issue is tracked under [CWE-669: Incorrect Resource Transfer Between Spheres]. Roundcube released fixes in versions 1.6.16 and 1.7.1 on May 24, 2026.
Critical Impact
Unauthenticated remote attackers can delete arbitrary files on hosts running vulnerable Roundcube deployments configured with Redis or Memcache session storage, impacting service availability.
Affected Products
- Roundcube Webmail 1.6.x before 1.6.16
- Roundcube Webmail 1.7.x before 1.7.1
- Deployments using Redis or Memcache as the session storage backend
Discovery Timeline
- 2026-05-24 - Roundcube publishes security update announcement for releases 1.6.16 and 1.7.1
- 2026-05-25 - CVE-2026-48847 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-48847
Vulnerability Analysis
The vulnerability allows an unauthenticated attacker to poison session data stored in Redis or Memcache, then trigger logic in Roundcube that performs file deletion using attacker-controlled paths. Because the affected code path executes before authentication completes, no valid user credentials are required. The Common Weakness Enumeration classification [CWE-669] reflects the improper transfer of untrusted serialized session data into a security-sensitive file operation context. According to the Exploit Prediction Scoring System (EPSS), the probability of exploitation in the wild is currently low.
Root Cause
The root cause is insufficient validation of session payloads retrieved from external session stores. Roundcube trusts deserialized session structures when resolving file paths used in cleanup or temporary file operations. An attacker able to write crafted entries into the shared session store, or to bypass session identifier protections, can inject arbitrary file paths that the application later removes. The fix commits 703318e6a59515b73b0d8aa2a91e346b02f56baa and a4eb375b98cc3d055de665c34efc729dd8ef272a tighten session validation and isolate session-derived inputs from filesystem operations.
Attack Vector
Exploitation requires network access to a Roundcube instance configured to use Redis or Memcache for session storage. The attacker submits crafted requests that cause poisoned session entries to be stored, then invokes the code path that consumes those entries to perform file deletion. High attack complexity reflects the need to influence session store contents from a pre-authenticated context. Successful exploitation deletes files writable by the webmail service account, which can degrade availability of the mail interface, remove logs, or disrupt dependent services.
No public proof-of-concept code is available. See the Roundcube Security Update Announcement and the upstream patch commits for technical specifics.
Detection Methods for CVE-2026-48847
Indicators of Compromise
- Unexpected deletion of files within the Roundcube installation directory, temporary directories, or log paths owned by the web server user.
- Anomalous entries in Redis or Memcache containing serialized PHP session data referencing filesystem paths.
- HTTP requests to Roundcube endpoints originating from unauthenticated sources immediately preceding file deletions.
Detection Strategies
- Compare the installed Roundcube version against 1.6.16 and 1.7.1 to identify vulnerable hosts.
- Audit Redis and Memcache access controls to confirm that only the Roundcube application can write session keys.
- Inspect web server access logs for repeated pre-authentication requests that interact with session handling endpoints.
Monitoring Recommendations
- Enable file integrity monitoring on the Roundcube webroot, configuration directory, and any shared mail attachment storage.
- Forward Roundcube and web server logs to a centralized log platform and alert on unexpected unlink or deletion patterns.
- Monitor session store traffic for write operations originating from untrusted network segments.
How to Mitigate CVE-2026-48847
Immediate Actions Required
- Upgrade Roundcube Webmail to 1.6.16 or 1.7.1 without delay on all production and staging instances.
- Restrict network access to the Redis or Memcache session backend so that only the Roundcube application server can connect.
- Review filesystem permissions to ensure the web server account has the minimum privileges necessary for normal operation.
Patch Information
Roundcube addressed the vulnerability in releases 1.6.16 and 1.7.1. The fixes are contained in commits 703318e and a4eb375. Administrators should validate the upgrade by checking the installed version through the Roundcube admin interface or the program/include/iniset.php version constant.
Workarounds
- Switch the session backend from Redis or Memcache to database or filesystem storage until patching is complete.
- Place Roundcube behind a reverse proxy or web application firewall that rate-limits and authenticates session-related endpoints.
- Apply strict authentication and ACLs on Redis and Memcache, disabling unauthenticated network exposure.
# Configuration example: enforce password authentication and bind Redis to localhost
# /etc/redis/redis.conf
bind 127.0.0.1
requirepass <strong-random-secret>
protected-mode yes
# Roundcube session backend selection
# config/config.inc.php
$config['session_storage'] = 'db';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
