Changeflow GovPing Data Privacy & Cybersecurity Roundcube Vulnerability Allows Security Policy ...
Priority review Guidance Added Final

Roundcube Vulnerability Allows Security Policy Bypass

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published March 30th, 2026
Detected March 30th, 2026
Email

Summary

CERT-FR issued an advisory warning of a security policy bypass vulnerability in Roundcube Webmail affecting versions 1.5.x prior to 1.5.15, 1.6.x prior to 1.6.15, and 1.7.x prior to 1.7-rc6. The vulnerability, disclosed by Roundcube on March 29, 2026, allows attackers to bypass security policies. Organizations running affected versions should update immediately.

View original document View source feed page

What changed

CERT-FR published advisory CERTFR-2026-AVI-0373 alerting organizations to a security policy bypass vulnerability in Roundcube Webmail. The flaw affects versions 1.5.x before 1.5.15, 1.6.x before 1.6.15, and 1.7.x before 1.7-rc6. The vulnerability was disclosed in Roundcube's security-updates-1.7-rc6-1.6.15-1.5.15 bulletin dated March 29, 2026.

Organizations running affected Roundcube instances should immediately update to patched versions (1.5.15, 1.6.15, or 1.7-rc6 and later). No specific compliance deadline is imposed by this advisory. Organizations should reference the official Roundcube security bulletin for detailed patch instructions and assess their exposure if they cannot update immediately.

What to do next

  1. Identify all Roundcube Webmail instances in your environment and verify version numbers
  2. Update affected Roundcube installations to version 1.5.15, 1.6.15, 1.7-rc6 or later
  3. Review Roundcube security bulletin for additional mitigation if immediate patching is not possible

Source document (simplified)

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 30 mars 2026 N° CERTFR-2026-AVI-0373 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Vulnérabilité dans Roundcube

Gestion du document

| Référence | CERTFR-2026-AVI-0373 |
| Titre | Vulnérabilité dans Roundcube |
| Date de la première version | 30 mars 2026 |
| Date de la dernière version | 30 mars 2026 |
| Source(s) | Bulletin de sécurité Roundcube security-updates-1.7-rc6-1.6.15-1.5.15 du 29 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risque

  • Contournement de la politique de sécurité

Systèmes affectés

  • Roundcube Webmail versions 1.5.x antérieures à 1.5.15
  • Roundcube Webmail versions 1.6.x antérieures à 1.6.15
  • Roundcube Webmail versions 1.7.x antérieures à 1.7-rc6

Résumé

Une vulnérabilité a été découverte dans Roundcube. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 30 mars 2026 Version initiale

Named provisions

Avis du CERT-FR Objet: Vulnérabilité dans Roundcube Systèmes affectés Solutions

Related changes

Favicon for www.cert.ssi.gouv.fr Multiple Microsoft Edge vulnerabilities, 5 CVEs, security advisory
Mar 30, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Multiple Microsoft Product Vulnerabilities Advisory
Priority review Mar 30, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Docker Desktop SSRF vulnerability, versions before 4.67.0
Mar 30, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for changeflow.com IBM patent for entity-wide database asset index generation
Routine Mar 31, 2026 ChangeBridge: Patent Grants - Networking (H04L) Telecom & Technology
Favicon for changeflow.com Cyber Risk Monte Carlo Simulation Patent for Financial Loss Characterization
Routine Mar 31, 2026 ChangeBridge: Patent Grants - Networking (H04L) Telecom & Technology
Favicon for www.cisa.gov Citrix NetScaler CVE-2026-3055 Critical Memory Overread Vulnerability
Urgent Mar 31, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-FR
Published
March 30th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Minor
Document ID
CERTFR-2026-AVI-0373

Who this affects

Applies to
Government agencies Technology companies Educational institutions
Industry sector
5112 Software & Technology 9211 Government & Public Administration 6111 Higher Education
Activity scope
Vulnerability Management Email System Security Patch Management
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF NIST 800-53
Topics
Data Privacy Telecommunications

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 285 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.