Roundcube Fixes Zero-Click Stored XSS Flaws in Latest Security Update
Roundcube has released security updates for its 1.6 LTS and 1.7 branches to fix six vulnerabilities, including two stored cross-site scripting flaws that can trigger when a user views malicious email content.
The most notable fixes address CVE-2026-54432 and CVE-2026-54433. Roundcube says CVE-2026-54432 involves a stored XSS issue caused by an unescaped attachment MIME type on the attachment-validation warning page, while CVE-2026-54433 is a zero-click stored XSS flaw in plain-text rendering.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Administrators should update production systems to Roundcube 1.6.17 or Roundcube 1.7.2, depending on the branch they use. The official Roundcube security update recommends applying the new versions to all production installations.
What Roundcube fixed
Roundcube published the updates on July 5, 2026, with fixes for six security issues across the webmail client. The project released both the 1.6.17 LTS update and the 1.7.2 update, which means administrators on either supported branch have a patched version available.
The Roundcube 1.7.2 release notes describe the update as a stable security release for the 1.7 branch. The release also includes non-security fixes for static file handling, OAuth claim retrieval, vCard imports, Imagick temporary files, and Redis or Memcache session updates.
For organizations that remain on the LTS branch, the Roundcube 1.6.17 release notes list the same security fixes for the 1.6 line. Roundcube also advises administrators to back up their data before updating.
| Issue | Type | Impact area |
|---|---|---|
| CVE-2026-54432 | Stored XSS | Attachment MIME type on the attachment-validation warning page |
| CVE-2026-54433 | Zero-click stored XSS | Plain-text email rendering |
| TNEF decoder infinite loop | Denial of service | winmail.dat attachment processing |
| Password plugin flaws | Session-related vulnerabilities | Username handling in the password plugin |
| SSRF bypass cases | Server-side request forgery bypass | Specific local address URL handling |
| Compressed RTF size issue | Denial of service | TNEF attachment parsing |
CVE-2026-54432: Stored XSS through attachment MIME type
CVE-2026-54432 stems from improper escaping of an attachment MIME type on a warning page. In practical terms, a malicious email attachment could carry a crafted MIME type string that Roundcube later renders unsafely.
If the vulnerable page displays that value without proper sanitization, JavaScript can run in the user’s browser inside the Roundcube session. That creates risk for mailbox access, session theft, phishing actions, and other browser-side attacks.
This flaw matters because attachment warnings are part of normal email handling. Users may encounter the vulnerable view while reviewing a message, which reduces the need for obvious social engineering such as asking the victim to download a file.
CVE-2026-54433: Zero-click XSS in plain-text rendering
CVE-2026-54433 affects Roundcube’s plain-text rendering path. Roundcube describes it as a zero-click stored XSS vulnerability, which means the attack can trigger when a victim views a crafted message rather than after a separate click.
Zero-click email flaws deserve urgent attention because they reduce the victim’s role in exploitation. A user may only need to open or preview a message in the affected rendering mode for malicious script to execute.
The issue was reported by Bohdan Kurinnoy of Samsung R&D Institute Ukraine, according to both the project announcement and the GitHub release notes.
Why this matters for webmail operators
Roundcube remains widely used by hosting providers, universities, public-sector organizations, small businesses, and self-hosted mail administrators. Because it runs in the browser and handles untrusted email content, stored XSS in Roundcube can create serious downstream risk.
An attacker who can execute JavaScript inside a logged-in webmail session may be able to read messages, abuse contacts, steal sensitive content, modify settings, or send emails as the victim. The exact impact depends on the user’s session, browser protections, mail server configuration, and Roundcube deployment.
Previous Roundcube XSS research has shown why webmail bugs attract attackers. A 2024 SonarSource analysis explained that malicious JavaScript in a Roundcube session can expose emails, contacts, and account access paths.
- Roundcube handles content from external senders, which makes input sanitization critical.
- Stored XSS can persist in a mailbox until the malicious message gets deleted.
- Zero-click behavior lowers the barrier for exploitation.
- Webmail sessions often expose sensitive business, legal, financial, and personal data.
- Shared hosting environments may have many users relying on one Roundcube installation.
Other security fixes in the update
The latest Roundcube patches also address denial-of-service and SSRF-related issues. One fix resolves an infinite loop in the TNEF decoder, which handles winmail.dat attachments often generated by Microsoft Outlook.
Another fix addresses a denial-of-service condition caused by crafted compressed-RTF size values inside TNEF files. These parser-related bugs can matter for public webmail services because attackers can send crafted attachments at scale.
The update also fixes two new SSRF bypass cases involving specific local address URLs. SSRF vulnerabilities can become dangerous when a web application can reach internal systems, local services, or metadata endpoints that outside attackers cannot access directly.
Who needs to update
Administrators running Roundcube 1.6.x should move to 1.6.17. Administrators running Roundcube 1.7.x should move to 1.7.2. The project announcement says both releases contain fixes for recently reported security vulnerabilities.
The update should take priority for internet-facing webmail portals, managed hosting panels, university mail systems, government mail gateways, and any deployment that allows users to receive mail from outside senders.
Administrators should also review any custom plugins, themes, and downstream package versions. Some Linux distributions or hosting panels may publish patched packages under their own release cycle, so operators should confirm that the installed build contains the July 2026 security fixes.
| Installed branch | Recommended version | Action |
|---|---|---|
| Roundcube 1.7.x | 1.7.2 | Update to the latest stable 1.7 security release |
| Roundcube 1.6.x | 1.6.17 | Update to the latest LTS security release |
| Older unsupported versions | Supported branch | Plan an upgrade path and apply supported security updates |
Mitigation steps for administrators
The main mitigation is to update Roundcube. Workarounds may reduce exposure, but they do not replace the official patch because the affected components sit inside normal message handling and rendering paths.
Before deploying the update, administrators should create a full backup of Roundcube files, configuration, plugins, and databases. Roundcube also recommends backing up data before applying the patched release.
After updating, teams should verify the installed version, test login and message rendering, review plugin compatibility, and check logs for errors related to attachments, TNEF handling, SSRF protections, or message display.
- Back up the Roundcube application files, configuration, database, and custom plugins.
- Update Roundcube 1.6.x to 1.6.17 or Roundcube 1.7.x to 1.7.2.
- Confirm that the web interface reports the expected patched version.
- Review web server, mail, and Roundcube logs for suspicious message rendering errors.
- Audit custom plugins that handle attachments, passwords, message rendering, or remote content.
- Restrict administrative access to the Roundcube host and hosting control panel.
- Consider forcing logout for active sessions after patching high-risk deployments.
The bottom line
Roundcube’s latest security update fixes several flaws, but the two stored XSS issues stand out because they sit directly in email handling paths. CVE-2026-54433 is especially urgent because Roundcube identifies it as a zero-click stored XSS vulnerability.
Webmail vulnerabilities often carry more risk than ordinary browser bugs because users stay logged in, messages contain sensitive data, and attackers can deliver payloads through normal email traffic. That makes fast patching important even when a release note does not include a public severity score.
Security teams should treat the July 2026 update as an operational priority. The LTS release and the current stable release both include the same security fixes, so there is a clear upgrade path for supported installations.
The broader lesson remains familiar: webmail software must sanitize every piece of untrusted message data, including metadata such as MIME types. As earlier Roundcube research showed, a crafted email can become a powerful attack vehicle when the webmail client renders unsafe content inside a trusted user session.
FAQ
CVE-2026-54432 is a stored XSS vulnerability caused by an unescaped attachment MIME type on Roundcube’s attachment-validation warning page. A crafted email attachment could cause unsafe script execution when the vulnerable page renders the MIME type.
CVE-2026-54433 is a zero-click stored XSS vulnerability in Roundcube’s plain-text rendering. It can trigger when a victim views a malicious message in the affected rendering path.
Roundcube 1.6.17 fixes the vulnerabilities for the 1.6 LTS branch, and Roundcube 1.7.2 fixes them for the 1.7 branch.
Stored XSS in a webmail session can expose sensitive mailbox data and may enable session abuse, phishing actions, or unauthorized actions inside the victim’s logged-in account. The practical impact depends on the deployment and browser protections.
Administrators should back up their Roundcube installation, update to version 1.6.17 or 1.7.2, verify the installed version, test message rendering, and review custom plugins that handle attachments, passwords, remote content, or message display.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages