CVE-2021-44026

What is Roundcube Webmail?

Roundcube is a widely deployed open-source webmail client used by ISPs, hosting providers, universities, government agencies, and enterprises worldwide as the web-based email interface for IMAP mail servers. It is particularly prevalent in hosting environments and smaller organizations that prefer open-source mail infrastructure over commercial alternatives. Because Roundcube processes and displays email from external senders, and because it stores authentication credentials for mail server access, vulnerabilities in Roundcube can provide attackers with access to email communications and credentials.

Overview

CVE-2021-44026 is a SQL injection vulnerability (CWE-89) in Roundcube Webmail. The search and search_params parameters passed to the Roundcube backend are not properly sanitized before being incorporated into SQL queries, allowing an unauthenticated attacker to inject arbitrary SQL. Successful exploitation can expose the entire Roundcube database — including email message metadata, user account information, and depending on configuration, authentication credentials. Roundcube released patches in November 2021; CISA added this to KEV in June 2023 reflecting confirmed exploitation.

Affected Versions

Technical Details

The vulnerability is a classic SQL injection (CWE-89) in Roundcube's search functionality. The webmail application accepts search query parameters from the user and passes them to database queries without adequate parameterization or escaping:

• Injection point: The search or search_params HTTP parameter in Roundcube's search API
• Authentication state: The CVSS score reflects unauthenticated access, though some exploitation scenarios may require authenticated access to the webmail interface
• Impact: Full SQL injection access to the Roundcube database — ability to read all stored data (email metadata, user tables, session tokens) and potentially write data
• Credential exposure: If password hashes or plaintext passwords are stored in the Roundcube database (depending on configuration and authentication backend), these can be extracted
• DBMS compatibility: The injection works against MySQL/MariaDB backends common in Roundcube deployments

Discovery

Reported to Roundcube and patched in the November 12, 2021 security releases. The 20-month gap between patch and CISA KEV addition indicates exploitation against unpatched Roundcube deployments was confirmed well after the patch was available.

Exploitation Context

Roundcube has been a consistent target for nation-state actors interested in email espionage. APT groups including Winter Vivern (TA473) have targeted Roundcube alongside Zimbra in campaigns against government and NATO-affiliated email accounts. SQL injection in a webmail application provides direct access to email metadata and user information without requiring individual user credentials. The CISA KEV addition in June 2023 aligns with a period of increased Roundcube targeting by multiple threat actors.

Remediation

1. Upgrade Roundcube to 1.4.12 or 1.3.17 (or the latest release in your version series)
2. If unable to upgrade immediately, apply WAF rules blocking SQL injection patterns in search parameters as a temporary mitigation
3. Review Roundcube database logs for unusual SELECT or UNION queries that may indicate exploitation
4. If exploitation is suspected, rotate all Roundcube user sessions and review database contents for unauthorized access
5. Consider restricting Roundcube access to authenticated sessions and VPN-connected users where operationally feasible
6. Maintain a regular Roundcube upgrade schedule — security releases are issued regularly