CVE-2026-48844 · Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lea

01 · The Real Story

This is a loaded nail gun left behind a locked door, not a landmine in the lobby

CVE-2026-48844 is a server-side code injection flaw in Roundcube Webmail's LDAP address book handling. In vulnerable releases, add_autovalues() in rcube_ldap.php could eval() expressions from the LDAP autovalues configuration when a contact record was created, which is why Roundcube removed code-evaluation support entirely in 1.6.16 and 1.7.1. The affected range is Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, disclosed on 2026-05-25.

The vendor's 7.5/HIGH score is technically defensible if you assume an attacker already has a valid Roundcube account and the target actually uses a writable LDAP address book with autovalues logic reachable in production. In real enterprises, those are serious friction points: many Roundcube deployments use LDAP read-only for lookup, not contact creation, and many users never touch LDAP-backed address book creation at all. So this is not an unauthenticated edge-service RCE; it's a niche, post-login path on a public-facing product.

"Real bug, narrow path: this is post-auth and feature-dependent, not a broad internet-wide fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get valid Roundcube credentials

The attacker first needs a working Roundcube login, typically via credential reuse, phishing, or prior mailbox compromise. This is a hard prerequisite because the vulnerable path sits behind the authenticated address book workflow, not on the login page or a pre-auth parser.

Conditions required:

Authenticated remote access to Roundcube
Target user account can reach the address book UI/API

Where this breaks in practice:

MFA, SSO, conditional access, and password hygiene cut off the most common entry path
This prerequisite already implies the attacker has cleared initial access

Detection/coverage: SSO/IdP logs, IMAP/webmail login telemetry, and impossible-travel/account-takeover detections should see this step.

STEP 02

Find a writable LDAP address book with autovalues enabled

The exploit path only matters if the deployment uses LDAP-backed address books in writable mode and the vulnerable autovalues behavior is present. Roundcube's own LDAP configuration guidance shows many deployments as read-only lookups, and writable LDAP address books are a narrower admin choice than the product's general exposure suggests.

Conditions required:

LDAP address book configured in Roundcube
That address book is writable or otherwise allows record creation
autovalues is configured on the LDAP source

Where this breaks in practice:

A large share of enterprise LDAP/AD integrations are read-only lookup sources
Config-level preconditions are not visible from external scanning, so attackers must probe or already know the environment

Detection/coverage: Version scanners can flag vulnerable Roundcube versions, but they usually cannot confirm writable LDAP plus autovalues remotely; expect many false positives without local config review.

STEP 03

Trigger contact creation through the address book flow

Using a browser, curl, or Burp Suite, the attacker submits contact data through the authenticated address book creation path. Roundcube's plugin and address book hooks confirm record creation is a discrete action, and the vulnerable code sat in LDAP autovalue generation during this workflow.

Conditions required:

Ability to create or save a contact in the affected LDAP source
Fields used by the autovalue template are attacker-influenced

Where this breaks in practice:

Many users lack permission to create LDAP contacts even if they can browse the directory
Some deployments may never expose LDAP contact creation in normal user workflows

Detection/coverage: Application logs, reverse proxy logs, and anomalous address-book write activity may show the POSTs; commodity scanners rarely exercise this authenticated business path.

STEP 04

Hit the eval() sink and execute server-side code

On vulnerable builds, add_autovalues() could pass generated expressions into PHP eval(), executing in the web server's security context. Roundcube fixed this by deleting the code-evaluation path and leaving only placeholder substitution, which is a strong signal that the exploit value was in the sink itself, not just input validation edge cases.

Conditions required:

Vulnerable Roundcube version
Reachable eval() path in rcube_ldap.php
Attacker-controlled data influences the evaluated expression sufficiently to alter execution

Where this breaks in practice:

The exact exploitability depends on how autovalues templates were authored by the admin
Even successful execution starts as the web/PHP service account, not instant domain admin

Detection/coverage: EDR on the web host should catch child-process execution, shell drops, or abnormal PHP behavior. File integrity monitoring and PHP error logs may also surface failed exploit attempts.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	As of 2026-05-29, I found no credible public reporting of active exploitation for this CVE. CERT-FR published a general Roundcube bulletin on 2026-05-26, but not exploitation evidence for this issue.
KEV status	Not KEV-listed in the user-supplied intel, and no public evidence surfaced in source review that CISA added this CVE after disclosure.
PoC availability	I found no public GitHub PoC or weaponized exploit repo specifically for CVE-2026-48844 as of 2026-05-29. Current public detail is patch/advisory level, not turnkey exploit level.
EPSS	0.00046; extremely low relative probability signal, which matches the feature-dependent, post-auth path.
Vendor CVSS	7.5 HIGH with `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`; translation: remote and severe impact if the attacker already has a login and the rare LDAP write/config path exists.
Affected versions	Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1.
Fixed versions	Upgrade to 1.6.16 or 1.7.1. The fix removed support for code evaluation in LDAP `autovalues`; I did not locate distro-specific backport advisories yet.
Reachability reality	Authenticated remote only, then LDAP writable address book only, then `autovalues` configured only. That is three layers of population narrowing before code execution.
Exposure data	Roundcube as a product is very exposed on the internet: Censys reported 2,473,116 exposed Roundcube instances in a 2025-06-10 advisory for another Roundcube flaw. That is product exposure, not a count of CVE-2026-48844-vulnerable nodes, but it does mean Roundcube deserves attention when patch bundles land.
Reporter / disclosure	Roundcube credits Glendaenri in the 2026-05-24 security update notice; CVE publication shows 2026-05-25.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.1/10)

The single biggest downgrade driver is that exploitation requires authenticated remote access plus a writable LDAP address book configuration using autovalues. That makes this a narrow, post-initial-access RCE path rather than a broad internet-exposed compromise vector.

HIGH Affected/fixed version and sink-removal details

MEDIUM Real-world exploitability across enterprise deployments

Why this verdict

Downgrade for attacker position: the vendor baseline starts at 7.5, but PR:L is not cosmetic here; it means the attacker already has a valid Roundcube session on a public-facing mail system.
Downgrade for exposure population: the vulnerable path appears tied to LDAP-backed address book creation with autovalues, which is a much smaller subset than 'all Roundcube on the internet.'
Downgrade for operational friction: many enterprises use LDAP/AD as a read-only directory source, and modern controls like SSO, MFA, EDR, and web telemetry should catch or constrain the chain before it becomes server-side code execution.

Why not higher?

This is not unauthenticated remote exploitation, and it is not a default-path request smuggling issue that every internet scanner can hit in minutes. The chain is feature- and configuration-dependent, and every prerequisite compounds downward pressure: valid account, LDAP write capability, and a vulnerable autovalues setup.

Why not lower?

Once the chain is present, the impact is still serious because the sink is server-side code execution in a public-facing webmail application. Roundcube is widely exposed, and any authenticated foothold on external mail infrastructure deserves respect even when the vulnerable subfeature is narrow.

05 · Compensating Control

What to do — in priority order.

Disable writable LDAP address books where you can — If the business does not require LDAP contact creation, set those sources read-only or remove them. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is the cleanest risk reduction if patching is delayed.
Remove or avoid LDAP autovalues expressions — The vulnerable behavior lives in the old code-evaluation support for autovalues; strip those templates from local config if they exist. There is no mitigation SLA for this severity bucket, so treat it as an optional hardening measure while you plan the vendor upgrade.
Tighten mailbox auth paths — Enforce MFA/SSO, monitor suspicious Roundcube logins, and review service accounts or shared mailboxes. The most reliable break in this chain is before the attacker ever becomes an authenticated user.
Watch for web-to-shell behavior on the Roundcube host — Tune EDR to alert when the PHP/web server account spawns shells, downloaders, archive tools, or interpreters. That does not remove the bug, but it sharply reduces dwell time if someone reaches the eval() sink.

What doesn't work

A generic perimeter WAF will not reliably save you here, because the dangerous path is an authenticated business workflow and the final sink is server-side eval() in application logic.
Version-only internet scanning is not enough, because it can tell you the build is old but not whether LDAP is writable or autovalues is configured in a reachable way.
Blocking IMAP or SMTP is irrelevant; the exploit path is in the Roundcube web application and LDAP address book handling.

06 · Verification

Crowdsourced verification payload.

Run this on the Roundcube host as a user that can read the install directory and config, typically root or the webapp admin account. Invoke it as bash rc_check_cve_2026_48844.sh /var/www/roundcube; it needs only local read access and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# Check Roundcube for CVE-2026-48844
# Usage: bash rc_check_cve_2026_48844.sh /path/to/roundcube
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error

set -u

RC_PATH="${1:-}"
if [[ -z "$RC_PATH" || ! -d "$RC_PATH" ]]; then
  echo "UNKNOWN: provide Roundcube install path, e.g. /var/www/roundcube" >&2
  exit 3
fi

VERSION=""
if [[ -f "$RC_PATH/program/lib/Roundcube/bootstrap.php" ]]; then
  VERSION=$(grep -Eo "'\s*[0-9]+\.[0-9]+\.[0-9]+'" "$RC_PATH/program/lib/Roundcube/bootstrap.php" 2>/dev/null | head -n1 | tr -d "' " )
fi
if [[ -z "$VERSION" && -f "$RC_PATH/index.php" ]]; then
  VERSION=$(grep -Eo "[0-9]+\.[0-9]+\.[0-9]+" "$RC_PATH/index.php" 2>/dev/null | head -n1)
fi
if [[ -z "$VERSION" && -f "$RC_PATH/composer.json" ]]; then
  VERSION=$(grep -Eo '"version"\s*:\s*"[0-9]+\.[0-9]+\.[0-9]+"' "$RC_PATH/composer.json" 2>/dev/null | head -n1 | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
fi

vuln_version=0
if [[ -n "$VERSION" ]]; then
  if [[ "$VERSION" =~ ^1\.6\. ]]; then
    if [[ "$(printf '%s\n' "$VERSION" "1.6.16" | sort -V | head -n1)" != "1.6.16" ]]; then
      vuln_version=1
    fi
  elif [[ "$VERSION" =~ ^1\.7\. ]]; then
    if [[ "$(printf '%s\n' "$VERSION" "1.7.1" | sort -V | head -n1)" != "1.7.1" ]]; then
      vuln_version=1
    fi
  fi
fi

LDAP_FILE="$RC_PATH/program/lib/Roundcube/rcube_ldap.php"
if [[ ! -f "$LDAP_FILE" ]]; then
  echo "UNKNOWN: rcube_ldap.php not found" >&2
  exit 2
fi

has_eval=0
if grep -Fq 'eval("return ($code);")' "$LDAP_FILE" 2>/dev/null; then
  has_eval=1
fi

cfg_autovalues=0
cfg_writable=0
shopt -s nullglob
for f in "$RC_PATH"/config/*.php "$RC_PATH"/*.inc.php; do
  [[ -f "$f" ]] || continue
  if grep -Eq "['\"]autovalues['\"]\s*=>" "$f" 2>/dev/null; then
    cfg_autovalues=1
  fi
  if grep -Eq "['\"]writable['\"]\s*=>\s*true" "$f" 2>/dev/null; then
    cfg_writable=1
  fi
done
shopt -u nullglob

if [[ $vuln_version -eq 0 && $has_eval -eq 0 ]]; then
  echo "PATCHED: installed code does not show the vulnerable eval path"
  exit 0
fi

if [[ $has_eval -eq 1 && $vuln_version -eq 1 && $cfg_autovalues -eq 1 && $cfg_writable -eq 1 ]]; then
  echo "VULNERABLE: vulnerable version/code path present and local config suggests writable LDAP autovalues are enabled"
  exit 1
fi

if [[ $has_eval -eq 1 && $vuln_version -eq 1 ]]; then
  echo "UNKNOWN: vulnerable version/code path present, but local config did not clearly confirm writable LDAP autovalues"
  exit 2
fi

if [[ $has_eval -eq 1 && -z "$VERSION" ]]; then
  echo "UNKNOWN: vulnerable eval path present but version could not be determined"
  exit 2
fi

echo "UNKNOWN: inconclusive result"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this CVE as MEDIUM unless you confirm a writable LDAP address book with autovalues in production; for this bucket there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window. Still, because the same 2026-05-24 Roundcube releases fixed more dangerous bugs in the same train, use local config review this week to identify any LDAP-write deployments, apply hardening there immediately if found, and complete the actual upgrade to 1.6.16 or 1.7.1 inside the noisgate remediation SLA of 365 days at the latest.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.