Roundcube Patches Critical Zero-Click XSS Vulnerabilities

Roundcube, the widely used open-source webmail client, has released version 1.7 to address six security vulnerabilities, including two critical zero-click stored cross-site scripting (XSS) flaws. These vulnerabilities, identified by researchers at Samsung R&D Institute Ukraine (SRUKR), pose significant risks as they can be exploited without any user interaction.

Zero-Click XSS Vulnerabilities

The most severe of these issues, designated as CVE-2026-54432, involves a stored XSS vulnerability triggered by an unescaped attachment MIME type displayed on the attachment-validation warning page. Attackers can craft malicious MIME type strings that, when rendered without proper sanitization, execute arbitrary JavaScript in the victim’s session. This exploit requires no action from the user beyond viewing the warning page, making it a genuine zero-click attack vector.

A related flaw, CVE-2026-54433, affects Roundcube’s plain-text rendering engine. This vulnerability allows attackers to inject malicious scripts into emails that execute silently when a victim views a message in plain-text mode, bypassing the visual cues users typically rely on to identify suspicious content.

Additional Security Fixes

In addition to the critical XSS vulnerabilities, Roundcube 1.7 addresses several other security issues:

  • An infinite loop in the TNEF (winmail.dat) decoder that could enable denial-of-service (DoS) conditions, reported by stafra.
  • Multiple vulnerabilities in the password plugin stemming from session-injected usernames, flagged by Glendaenri and peppersghost.
  • Two new server-side request forgery (SSRF) bypass cases involving specific local address URLs, discovered by Leenear.
  • A DoS vulnerability triggered by crafted compressed-RTF size values within TNEF attachments, reported by h0rk1p.

Beyond these security patches, the update includes several stability fixes, such as proper HEAD request handling in static.php, corrected OAuth password claim retrieval logic, resolution of a 416 error on specific Range requests, and fixes for broken skin logo loading. It also addresses vCard 2.1 import bugs, Imagick temporary file leaks on failure, and excessive session updates under Redis/Memcache configurations.

Mitigation and Recommendations

Given the zero-click nature of the XSS vulnerabilities, organizations using Roundcube should prioritize updating to version 1.7 immediately. Exploitation of CVE-2026-54432 or CVE-2026-54433 could lead to session hijacking, credential theft, or unauthorized mailbox access without any user interaction beyond normal email viewing.

Administrators managing self-hosted webmail instances, especially those exposed to external users, should treat this update as an urgent action item due to the low barrier to exploitation these flaws present. It is also advisable to perform a full data backup before applying the patch to ensure data integrity.

In the broader context, this incident underscores the critical importance of regular software updates and vigilant security practices in maintaining the integrity of webmail systems. As webmail platforms remain prime targets for attackers seeking to exploit vulnerabilities for unauthorized access, organizations must stay proactive in applying security patches and monitoring for potential threats.