Roundcube: RoundCube 0-Click Vulnerability Enables Stored XSS Attack via MIME Type Attachment

Roundcube: RoundCube 0-Click Vulnerability Enables Stored XSS Attack via MIME Type Attachment

Roundcube Patches Critical Zero-Click XSS Vulnerabilities in Version 1.7

Roundcube has released version 1.7 to address six security vulnerabilities, including two critical stored cross-site scripting (XSS) flaws that enable zero-click exploitation. The most severe, CVE-2026-54432, allows attackers to execute arbitrary JavaScript by crafting a malicious MIME type in an email attachment, triggering the payload when a user views the attachment warning page without requiring any interaction. A related flaw, CVE-2026-54433, exploits Roundcube’s plain-text rendering engine, silently executing malicious scripts when a victim reads an email in plain-text mode.

Both vulnerabilities were discovered by Bohdan Kurinnoy of Samsung R&D Institute Ukraine (SRUKR), underscoring the growing focus on webmail platforms as prime targets for credential theft and session hijacking. Additional fixes in the update include patches for a TNEF decoder infinite loop (DoS), password plugin session-injection flaws, SSRF bypasses, and a DoS vulnerability in compressed-RTF attachments.

Beyond security, Roundcube 1.7 resolves stability issues, including OAuth password claim retrieval errors, vCard 2.1 import bugs, and Imagick temporary file leaks. Due to the zero-click nature of the XSS flaws, Roundcube has urged administrators to prioritize the update, particularly for externally exposed instances, to prevent session hijacking and unauthorized mailbox access. A full data backup is recommended before patching.

Source: https://cybersecuritynews.com/roundcube-0-click-vulnerability/

RoundCube DOO cybersecurity rating report: https://www.rankiteo.com/company/roundcubedoo

"id": "ROU1783621569",
"linkid": "roundcubedoo",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Roundcube webmail '
                                              'instances, particularly '
                                              'externally exposed instances',
                        'industry': 'Email/Communication',
                        'name': 'Roundcube',
                        'type': 'Software'}],
 'attack_vector': 'Malicious email attachments, plain-text email rendering',
 'description': 'Roundcube has released version 1.7 to address six security '
                'vulnerabilities, including two critical stored cross-site '
                'scripting (XSS) flaws that enable zero-click exploitation. '
                'The most severe, CVE-2026-54432, allows attackers to execute '
                'arbitrary JavaScript by crafting a malicious MIME type in an '
                'email attachment, triggering the payload when a user views '
                'the attachment warning page without requiring any '
                'interaction. A related flaw, CVE-2026-54433, exploits '
                'Roundcube’s plain-text rendering engine, silently executing '
                'malicious scripts when a victim reads an email in plain-text '
                'mode. Additional fixes include patches for a TNEF decoder '
                'infinite loop (DoS), password plugin session-injection flaws, '
                'SSRF bypasses, and a DoS vulnerability in compressed-RTF '
                'attachments. The update also resolves stability issues like '
                'OAuth password claim retrieval errors, vCard 2.1 import bugs, '
                'and Imagick temporary file leaks.',
 'impact': {'identity_theft_risk': 'High (session hijacking, credential theft)',
            'operational_impact': 'Potential session hijacking, unauthorized '
                                  'mailbox access',
            'systems_affected': 'Roundcube webmail instances'},
 'investigation_status': 'Vulnerabilities patched',
 'lessons_learned': 'Webmail platforms are prime targets for credential theft '
                    'and session hijacking; zero-click vulnerabilities require '
                    'immediate patching.',
 'motivation': 'Credential theft, session hijacking, unauthorized mailbox '
               'access',
 'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities, '
                                                  'improving input validation, '
                                                  'and addressing stability '
                                                  'issues.',
                            'root_causes': 'Critical zero-click XSS '
                                           "vulnerabilities in Roundcube's "
                                           'MIME type handling and plain-text '
                                           'rendering engine.'},
 'recommendations': 'Prioritize patching to Roundcube 1.7, especially for '
                    'externally exposed instances. Conduct full data backups '
                    'before applying updates.',
 'references': [{'source': 'Roundcube Security Advisory'},
                {'source': 'Bohdan Kurinnoy (Samsung R&D Institute Ukraine)'}],
 'response': {'communication_strategy': 'Urged administrators to prioritize '
                                        'the update for externally exposed '
                                        'instances',
              'containment_measures': 'Release of patched version (1.7)',
              'remediation_measures': 'Patching to Roundcube 1.7, full data '
                                      'backup recommended before patching'},
 'stakeholder_advisories': 'Administrators urged to update to Roundcube 1.7 '
                           'immediately.',
 'title': 'Roundcube Patches Critical Zero-Click XSS Vulnerabilities in '
          'Version 1.7',
 'type': 'Zero-Click XSS, DoS, SSRF, Session Injection',
 'vulnerability_exploited': ['CVE-2026-54432',
                             'CVE-2026-54433',
                             'TNEF decoder infinite loop',
                             'Password plugin session-injection flaws',
                             'SSRF bypasses',
                             'DoS in compressed-RTF attachments']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.