Roundcube Fixes Zero-Click Stored XSS Flaws in Latest Security Update


Roundcube has released security updates for its 1.6 LTS and 1.7 branches to fix six vulnerabilities, including two stored cross-site scripting flaws that can trigger when a user views malicious email content.

The most notable fixes address CVE-2026-54432 and CVE-2026-54433. Roundcube says CVE-2026-54432 involves a stored XSS issue caused by an unescaped attachment MIME type on the attachment-validation warning page, while CVE-2026-54433 is a zero-click stored XSS flaw in plain-text rendering.

Administrators should update production systems to Roundcube 1.6.17 or Roundcube 1.7.2, depending on the branch they use. The official Roundcube security update recommends applying the new versions to all production installations.

What Roundcube fixed

Roundcube published the updates on July 5, 2026, with fixes for six security issues across the webmail client. The project released both the 1.6.17 LTS update and the 1.7.2 update, which means administrators on either supported branch have a patched version available.

The Roundcube 1.7.2 release notes describe the update as a stable security release for the 1.7 branch. The release also includes non-security fixes for static file handling, OAuth claim retrieval, vCard imports, Imagick temporary files, and Redis or Memcache session updates.

For organizations that remain on the LTS branch, the Roundcube 1.6.17 release notes list the same security fixes for the 1.6 line. Roundcube also advises administrators to back up their data before updating.

IssueTypeImpact area
CVE-2026-54432Stored XSSAttachment MIME type on the attachment-validation warning page
CVE-2026-54433Zero-click stored XSSPlain-text email rendering
TNEF decoder infinite loopDenial of servicewinmail.dat attachment processing
Password plugin flawsSession-related vulnerabilitiesUsername handling in the password plugin
SSRF bypass casesServer-side request forgery bypassSpecific local address URL handling
Compressed RTF size issueDenial of serviceTNEF attachment parsing

CVE-2026-54432: Stored XSS through attachment MIME type

CVE-2026-54432 stems from improper escaping of an attachment MIME type on a warning page. In practical terms, a malicious email attachment could carry a crafted MIME type string that Roundcube later renders unsafely.

If the vulnerable page displays that value without proper sanitization, JavaScript can run in the user’s browser inside the Roundcube session. That creates risk for mailbox access, session theft, phishing actions, and other browser-side attacks.

This flaw matters because attachment warnings are part of normal email handling. Users may encounter the vulnerable view while reviewing a message, which reduces the need for obvious social engineering such as asking the victim to download a file.

CVE-2026-54433: Zero-click XSS in plain-text rendering

CVE-2026-54433 affects Roundcube’s plain-text rendering path. Roundcube describes it as a zero-click stored XSS vulnerability, which means the attack can trigger when a victim views a crafted message rather than after a separate click.

Zero-click email flaws deserve urgent attention because they reduce the victim’s role in exploitation. A user may only need to open or preview a message in the affected rendering mode for malicious script to execute.

The issue was reported by Bohdan Kurinnoy of Samsung R&D Institute Ukraine, according to both the project announcement and the GitHub release notes.

Why this matters for webmail operators

Roundcube remains widely used by hosting providers, universities, public-sector organizations, small businesses, and self-hosted mail administrators. Because it runs in the browser and handles untrusted email content, stored XSS in Roundcube can create serious downstream risk.

An attacker who can execute JavaScript inside a logged-in webmail session may be able to read messages, abuse contacts, steal sensitive content, modify settings, or send emails as the victim. The exact impact depends on the user’s session, browser protections, mail server configuration, and Roundcube deployment.

Previous Roundcube XSS research has shown why webmail bugs attract attackers. A 2024 SonarSource analysis explained that malicious JavaScript in a Roundcube session can expose emails, contacts, and account access paths.

  • Roundcube handles content from external senders, which makes input sanitization critical.
  • Stored XSS can persist in a mailbox until the malicious message gets deleted.
  • Zero-click behavior lowers the barrier for exploitation.
  • Webmail sessions often expose sensitive business, legal, financial, and personal data.
  • Shared hosting environments may have many users relying on one Roundcube installation.

Other security fixes in the update

The latest Roundcube patches also address denial-of-service and SSRF-related issues. One fix resolves an infinite loop in the TNEF decoder, which handles winmail.dat attachments often generated by Microsoft Outlook.

Another fix addresses a denial-of-service condition caused by crafted compressed-RTF size values inside TNEF files. These parser-related bugs can matter for public webmail services because attackers can send crafted attachments at scale.

The update also fixes two new SSRF bypass cases involving specific local address URLs. SSRF vulnerabilities can become dangerous when a web application can reach internal systems, local services, or metadata endpoints that outside attackers cannot access directly.

Who needs to update

Administrators running Roundcube 1.6.x should move to 1.6.17. Administrators running Roundcube 1.7.x should move to 1.7.2. The project announcement says both releases contain fixes for recently reported security vulnerabilities.

The update should take priority for internet-facing webmail portals, managed hosting panels, university mail systems, government mail gateways, and any deployment that allows users to receive mail from outside senders.

Administrators should also review any custom plugins, themes, and downstream package versions. Some Linux distributions or hosting panels may publish patched packages under their own release cycle, so operators should confirm that the installed build contains the July 2026 security fixes.

Installed branchRecommended versionAction
Roundcube 1.7.x1.7.2Update to the latest stable 1.7 security release
Roundcube 1.6.x1.6.17Update to the latest LTS security release
Older unsupported versionsSupported branchPlan an upgrade path and apply supported security updates

Mitigation steps for administrators

The main mitigation is to update Roundcube. Workarounds may reduce exposure, but they do not replace the official patch because the affected components sit inside normal message handling and rendering paths.

Before deploying the update, administrators should create a full backup of Roundcube files, configuration, plugins, and databases. Roundcube also recommends backing up data before applying the patched release.

After updating, teams should verify the installed version, test login and message rendering, review plugin compatibility, and check logs for errors related to attachments, TNEF handling, SSRF protections, or message display.

  1. Back up the Roundcube application files, configuration, database, and custom plugins.
  2. Update Roundcube 1.6.x to 1.6.17 or Roundcube 1.7.x to 1.7.2.
  3. Confirm that the web interface reports the expected patched version.
  4. Review web server, mail, and Roundcube logs for suspicious message rendering errors.
  5. Audit custom plugins that handle attachments, passwords, message rendering, or remote content.
  6. Restrict administrative access to the Roundcube host and hosting control panel.
  7. Consider forcing logout for active sessions after patching high-risk deployments.

The bottom line

Roundcube’s latest security update fixes several flaws, but the two stored XSS issues stand out because they sit directly in email handling paths. CVE-2026-54433 is especially urgent because Roundcube identifies it as a zero-click stored XSS vulnerability.

Webmail vulnerabilities often carry more risk than ordinary browser bugs because users stay logged in, messages contain sensitive data, and attackers can deliver payloads through normal email traffic. That makes fast patching important even when a release note does not include a public severity score.

Security teams should treat the July 2026 update as an operational priority. The LTS release and the current stable release both include the same security fixes, so there is a clear upgrade path for supported installations.

The broader lesson remains familiar: webmail software must sanitize every piece of untrusted message data, including metadata such as MIME types. As earlier Roundcube research showed, a crafted email can become a powerful attack vehicle when the webmail client renders unsafe content inside a trusted user session.

FAQ

What is CVE-2026-54432 in Roundcube?

CVE-2026-54432 is a stored XSS vulnerability caused by an unescaped attachment MIME type on Roundcube’s attachment-validation warning page. A crafted email attachment could cause unsafe script execution when the vulnerable page renders the MIME type.

What is CVE-2026-54433 in Roundcube?

CVE-2026-54433 is a zero-click stored XSS vulnerability in Roundcube’s plain-text rendering. It can trigger when a victim views a malicious message in the affected rendering path.

Which Roundcube versions fix these vulnerabilities?

Roundcube 1.6.17 fixes the vulnerabilities for the 1.6 LTS branch, and Roundcube 1.7.2 fixes them for the 1.7 branch.

Can these Roundcube flaws lead to account compromise?

Stored XSS in a webmail session can expose sensitive mailbox data and may enable session abuse, phishing actions, or unauthorized actions inside the victim’s logged-in account. The practical impact depends on the deployment and browser protections.

What should Roundcube administrators do now?

Administrators should back up their Roundcube installation, update to version 1.6.17 or 1.7.2, verify the installed version, test message rendering, and review custom plugins that handle attachments, passwords, remote content, or message display.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages