The life of a security-conscious open source project can be summed up quite nicely by the last two days of the Horde project.
On 2026-06-30, the Horde team announced the General Availability (GA) release of Horde 6 and IMP 7.0.0, marking the first stable release of the next major generation of the Horde webmail and groupware platform. Boy we were a proud bunch.
Less than a day later on 2026-07-01 we faced our first post-GA security issue. CVE-2026-58451 was publicly disclosed along with our immediate release of IMP 7.0.1 containing the fix. [cvefeed.io], [vulncheck.com] But don’t panic!
What is CVE-2026-58451?
As the published advisory suggests, IMP versions prior to 7.0.1 contain a path traversal vulnerability in lib/Compose.php. An authenticated attacker can abuse image source handling during message composition to access arbitrary files on the server filesystem. Exploitation may also be possible through CSRF against an active authenticated session. [cvefeed.io]
This was ranked with a CVSS v4 score of 7.1 (High) [radar.offseq.com]
The Good News
A CVE published one day after a major GA announcement might sound alarming but I’d like to look at it from another point of view. We worked with the disclosing party. We provided a fix within a day. The project has regained some visibility and we are able to act on any findings. All in all this is a healthy situation. This was an example of what a mature security process should look like:
- A vulnerability is identified.
- A fix is prepared.
- A CVE is assigned.
- A patched release is made available immediately.
Nevertheless it was a bit humiliating to be honest.
Open source software is not defined by the absence of vulnerabilities. It is defined by everybody is able to look at the product, identify issues freely and allow maintainers to quickly and transparently address those vulnerabilities.
Major releases frequently receive significant real-world exposure only after reaching GA. New code paths, new deployment scenarios, new bugs quite frankly.
Fresh scrutiny from both users and security researchers is gold. I like it.
Recommendation
If you have deployed IMP 7.0.0 you should upgrade to IMP 7.0.1 immediately and be unaffected by CVE-2026-58451.
For the Horde project the first 48 hours of the Horde 6 era have already demonstrated two things:
- The new generation has officially arrived.
- Security response processes remain as important as feature development.
Welcome to Horde 6. And don’t forget to patch.
Leave a Reply