Login Sign Up

CVE-2021-44026

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Roundcube webmail allows attackers to execute arbitrary SQL commands via search or search_params parameters. It affects all Roundcube installations before version 1.3.17 and 1.4.x before 1.4.12. Attackers could potentially access, modify, or delete email database contents.

💻 Affected Systems

Products:
  • Roundcube Webmail
Versions: Roundcube < 1.3.17 and 1.4.x < 1.4.12
Operating Systems: All operating systems running Roundcube
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable if using affected versions. Requires search functionality to be accessible.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Webmail by Roundcube

View all CVEs affecting Webmail →

Webmail by Roundcube

View all CVEs affecting Webmail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of email database including reading, modifying, or deleting all emails, user credentials, and configuration data; potential privilege escalation to system access.

🟠

Likely Case

Unauthorized access to email contents, user information, and potentially authentication data stored in the database.

🟢

If Mitigated

Limited impact if database user has minimal privileges and proper input validation is enforced at other layers.

🌐 Internet-Facing: HIGH - Roundcube is typically internet-facing webmail software accessible to attackers.
🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to Roundcube. SQL injection is well-understood with many available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.17 or 1.4.12

Vendor Advisory: https://github.com/roundcube/roundcubemail/security/advisories

Restart Required: No

Instructions:

1. Backup your Roundcube installation and database. 2. Download latest version from roundcube.net. 3. Replace existing files with new version. 4. Run update script if database schema changed. 5. Verify functionality.

🔧 Temporary Workarounds

Disable Search Functionality

all

Temporarily disable search features to prevent exploitation while patching.

# Edit Roundcube config.inc.php and add: $config['enable_search'] = false;

Web Application Firewall Rules

linux

Add WAF rules to block SQL injection patterns in search parameters.

# Example ModSecurity rule: SecRule ARGS "(?i)(union|select|insert|update|delete|drop|--|#)" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt'"
# For nginx: location ~* \.php$ { set $block_sqli 0; if ($args ~* "(union|select|insert|update|delete|drop|--|#)") { set $block_sqli 1; } if ($block_sqli = 1) { return 403; } }

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application layer
  • Restrict database user permissions to minimum required (SELECT only if possible)

🔍 How to Verify

Check if Vulnerable:

Check Roundcube version in program/include/iniset.php or via admin interface. If version is <1.3.17 or 1.4.x <1.4.12, you are vulnerable.

Check Version:

grep -r "RCMAIL_VERSION" /path/to/roundcube/program/include/iniset.php | head -1

Verify Fix Applied:

Verify version is 1.3.17 or higher, or 1.4.12 or higher. Test search functionality with SQL injection payloads (e.g., ' OR '1'='1) to ensure they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web server logs
  • Multiple failed search attempts with SQL syntax
  • Long or unusual search parameter values

Network Indicators:

  • HTTP POST requests to search endpoints with SQL keywords in parameters
  • Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (url="*/mail*" OR url="*/search*") AND (query="*union*" OR query="*select*" OR query="*insert*" OR query="*update*" OR query="*delete*" OR query="*drop*" OR query="*--*" OR query="*#*")

📊 Metadata

CVE ID: CVE-2021-44026
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 19, 2021
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44026, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)