Critical Roundcube Webmail Vulnerabilities Patched in Urgent Security Update
Roundcube Webmail users must update their systems following the disclosure of multiple severe vulnerabilities, including a critical pre-authentication SQL injection flaw that allows attackers to execute malicious database queries without requiring login credentials. The vulnerabilities were addressed in versions 1.6.16 and 1.7.1, released on May 24, 2026, as part of a high-priority security patch affecting both long-term support and current versions.
The most severe issue a pre-authentication SQL injection in the virtuser_query plugin stems from improper input sanitization due to a preg_replace backslash escape bypass. This flaw enables unauthenticated attackers to inject arbitrary SQL commands, risking unauthorized data access, database manipulation, or privilege escalation. Additional vulnerabilities include:
- A code injection flaw in the LDAP autovalues option, now patched by removing unsafe code evaluation.
- A stored XSS vulnerability in the draft restore dialog’s subject field, allowing HTML/CSS injection.
- A CSS injection bypass via SVG animate elements in the HTML sanitizer.
- An SSRF bypass using crafted local address URLs and a remote resource fetch bypass when blocking external content.
- A pre-auth arbitrary file deletion vulnerability via Redis or Memcache session poisoning.
- A remote image blocking bypass through CSS var() manipulation.
The vulnerabilities were reported by security researchers, including Orange Cyberdefense’s Vulnerability Disclosure Team and independent contributors, underscoring the role of coordinated disclosure in mitigating risks. All Roundcube installations running 1.6.x or 1.7.x are affected, with administrators urged to upgrade immediately to 1.6.16 or 1.7.1 to prevent exploitation. The severity of these flaws particularly the pre-auth SQL injection makes this update critical for organizations using Roundcube, especially in internet-facing environments.
Source: https://gbhackers.com/roundcube-webmail-vulnerability-execute-malicious-sql-queries/
RoundcubePlus cybersecurity rating report: https://www.rankiteo.com/company/roundcubeplus
"id": "ROU1779964080",
"linkid": "roundcubeplus",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All organizations using '
'Roundcube 1.6.x or 1.7.x',
'industry': 'Technology/Email Services',
'name': 'Roundcube Webmail',
'type': 'Software'}],
'attack_vector': ['Pre-authentication SQL Injection',
'LDAP autovalues code injection',
'Stored XSS via draft restore dialog',
'CSS injection via SVG animate elements',
'SSRF via crafted local URLs',
'Session poisoning via Redis/Memcache',
'Remote image blocking bypass via CSS var()'],
'customer_advisories': 'All Roundcube Webmail users urged to upgrade '
'immediately to versions 1.6.16 or 1.7.1.',
'data_breach': {'sensitivity_of_data': 'Potentially sensitive database '
'contents (e.g., user credentials, '
'emails)'},
'date_publicly_disclosed': '2026-05-24',
'date_resolved': '2026-05-24',
'description': 'Roundcube Webmail users must update their systems following '
'the disclosure of multiple severe vulnerabilities, including '
'a critical pre-authentication SQL injection flaw that allows '
'attackers to execute malicious database queries without '
'requiring login credentials. The vulnerabilities were '
'addressed in versions 1.6.16 and 1.7.1, released on May 24, '
'2026, as part of a high-priority security patch affecting '
'both long-term support and current versions.',
'impact': {'data_compromised': 'Unauthorized data access, database '
'manipulation, or privilege escalation',
'systems_affected': 'Roundcube Webmail installations (versions '
'1.6.x and 1.7.x)'},
'investigation_status': 'Patched',
'lessons_learned': 'Importance of coordinated vulnerability disclosure and '
'timely patching of critical flaws, especially in '
'internet-facing software.',
'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities, '
'removing unsafe code '
'evaluation, and enhancing '
'input validation '
'mechanisms.',
'root_causes': 'Improper input sanitization, '
'unsafe code evaluation, and '
'inadequate HTML/CSS/SVG '
'sanitization in Roundcube '
'Webmail.'},
'recommendations': 'Immediately upgrade Roundcube Webmail to versions 1.6.16 '
'or 1.7.1; audit systems for signs of exploitation; '
'implement input sanitization best practices; monitor for '
'unusual database activity.',
'references': [{'source': 'Orange Cyberdefense’s Vulnerability Disclosure '
'Team'}],
'response': {'containment_measures': 'Urgent security patch released '
'(versions 1.6.16 and 1.7.1)',
'remediation_measures': 'Upgrade to versions 1.6.16 or 1.7.1; '
'removal of unsafe code evaluation in '
'LDAP autovalues; fixes for HTML/CSS/SVG '
'injection vectors; SSRF and session '
'poisoning mitigations'},
'title': 'Critical Roundcube Webmail Vulnerabilities Patched in Urgent '
'Security Update',
'type': ['SQL Injection',
'Code Injection',
'Stored XSS',
'CSS Injection',
'SSRF Bypass',
'Arbitrary File Deletion',
'Remote Resource Fetch Bypass'],
'vulnerability_exploited': ['Improper input sanitization in virtuser_query '
'plugin (preg_replace backslash escape bypass)',
'Unsafe code evaluation in LDAP autovalues option',
'HTML/CSS injection in draft restore dialog’s '
'subject field',
'SVG animate elements in HTML sanitizer',
'Crafted local address URLs for SSRF bypass',
'External content blocking bypass via CSS var() '
'manipulation',
'Redis/Memcache session poisoning for arbitrary '
'file deletion']}