Roundcube Webmail 1.6.14 patches multiple serious security flaws, including a pre-auth file-write bug
4 min. read 
Published on
Roundcube has released Webmail 1.6.14 as a security update for the 1.6 branch, and admins should treat it as a priority patch. The release fixes several serious vulnerabilities, including a pre-authentication arbitrary file write issue, an IMAP injection plus CSRF bypass bug, an XSS flaw in HTML attachment preview, and an SSRF plus information disclosure issue tied to stylesheet links.
The most urgent issue in the release is the pre-auth arbitrary file write bug. Roundcube says the flaw came from unsafe deserialization in the Redis and Memcache session handler, and researcher y0us reported it. Because the issue is pre-auth, an attacker may not need to sign in before attempting exploitation, which raises the risk for exposed webmail deployments.
Roundcube also fixed an account security flaw where a password could be changed without providing the old password, according to the project’s release notes. That bug could become especially dangerous in a hijacked or otherwise compromised session.
Another important fix targets an IMAP injection and CSRF bypass issue in mail search. The release also patches multiple client-side protections, including remote image blocking bypasses through SVG animate attributes, a crafted body background attribute, and a fixed-position mitigation bypass using !important, plus an XSS issue in HTML attachment preview.
Roundcube’s official recommendation is direct. The team says version 1.6.14 is stable and recommends updating all production installations of Roundcube 1.6.x, while making a backup before the upgrade.
What changed in Roundcube 1.6.14
| Area | Fix |
|---|---|
| Session handling | Pre-auth arbitrary file write via unsafe deserialization in Redis/Memcache session handler |
| Account security | Password could be changed without providing the old password |
| Mail search | IMAP injection + CSRF bypass |
| Attachment preview | XSS issue in HTML attachment preview |
| Network access | SSRF + information disclosure via stylesheet links to local network hosts |
| Privacy protections | Multiple remote image blocking bypasses fixed |
| UI hardening | Fixed-position mitigation bypass via !important fixed |
| Database compatibility | PostgreSQL connection using IPv6 address fixed |
All of these items appear in the official 1.6.14 release notes. The project also notes a PostgreSQL IPv6 connection fix outside the security items.
Why admins should move quickly
Roundcube remains widely used in self-hosted and hosted email environments, so security bugs in core mail handling, session management, and browser-facing rendering can create broad exposure. The release notes do not assign CVE numbers in the public announcement, but the vulnerability list alone makes this a meaningful update for internet-facing installations.
The pre-auth file-write bug stands out because it affects the session handler layer and does not require normal account access first. The SSRF issue also matters because it involves stylesheet links to local network hosts, which can expose internal services or data that should not be reachable from outside.
The client-side fixes matter too. Remote image blocking exists partly to stop tracking and privacy leaks in email, so bypasses in that area can expose users to unwanted beaconing or content loading. The HTML attachment preview XSS fix also reduces the risk from malicious content delivered through email.
Patched vulnerabilities in this release
- Pre-auth arbitrary file write via unsafe deserialization in Redis/Memcache session handler
- Password change bug that did not require the old password
- IMAP injection + CSRF bypass in mail search
- Remote image blocking bypass via SVG animate attributes
- Remote image blocking bypass via crafted body background attribute
- Fixed-position mitigation bypass via
!important - XSS issue in HTML attachment preview
- SSRF + information disclosure via stylesheet links to local network hosts
What admins should do now
- Back up the Roundcube application files and database.
- Upgrade production installations running Roundcube 1.6.x to 1.6.14.
- Review whether Redis or Memcache session handlers are enabled.
- Check webmail exposure rules for internet-facing instances.
- Test login, password-change flows, search, and attachment preview after the update.
- Verify remote image blocking still behaves as expected after patching.
Quick take
Roundcube 1.6.14 is not a routine maintenance release. It fixes a cluster of serious issues across authentication, session handling, mail search, browser-side rendering, and local-network access. If you manage a public-facing Roundcube instance, this update should move near the top of your patch queue.
FAQ
Yes. The official release notes say 1.6.14 fixes a pre-auth arbitrary file write issue caused by unsafe deserialization in the Redis/Memcache session handler.
It fixed a bug where a password could be changed without providing the old password. That does not automatically mean full account takeover in every setup, but it is a serious account security issue.
Yes. Roundcube fixed an XSS issue in HTML attachment preview and several remote image blocking bypasses, plus a mitigation bypass using !important.
Yes. Roundcube explicitly recommends backing up data before installing the update.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages