Roundcube Patches Critical Zero-Click XSS Vulnerabilities in Version 1.7
Roundcube has released version 1.7 to address six security vulnerabilities, including two critical stored cross-site scripting (XSS) flaws that enable zero-click exploitation. The most severe, CVE-2026-54432, allows attackers to execute arbitrary JavaScript by crafting a malicious MIME type in an email attachment, triggering the payload when a user views the attachment warning page without requiring any interaction. A related flaw, CVE-2026-54433, exploits Roundcube’s plain-text rendering engine, silently executing malicious scripts when a victim reads an email in plain-text mode.
Both vulnerabilities were discovered by Bohdan Kurinnoy of Samsung R&D Institute Ukraine (SRUKR), underscoring the growing focus on webmail platforms as prime targets for credential theft and session hijacking. Additional fixes in the update include patches for a TNEF decoder infinite loop (DoS), password plugin session-injection flaws, SSRF bypasses, and a DoS vulnerability in compressed-RTF attachments.
Beyond security, Roundcube 1.7 resolves stability issues, including OAuth password claim retrieval errors, vCard 2.1 import bugs, and Imagick temporary file leaks. Due to the zero-click nature of the XSS flaws, Roundcube has urged administrators to prioritize the update, particularly for externally exposed instances, to prevent session hijacking and unauthorized mailbox access. A full data backup is recommended before patching.
Source: https://cybersecuritynews.com/roundcube-0-click-vulnerability/
RoundCube DOO cybersecurity rating report: https://www.rankiteo.com/company/roundcubedoo
"id": "ROU1783621569",
"linkid": "roundcubedoo",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Roundcube webmail '
'instances, particularly '
'externally exposed instances',
'industry': 'Email/Communication',
'name': 'Roundcube',
'type': 'Software'}],
'attack_vector': 'Malicious email attachments, plain-text email rendering',
'description': 'Roundcube has released version 1.7 to address six security '
'vulnerabilities, including two critical stored cross-site '
'scripting (XSS) flaws that enable zero-click exploitation. '
'The most severe, CVE-2026-54432, allows attackers to execute '
'arbitrary JavaScript by crafting a malicious MIME type in an '
'email attachment, triggering the payload when a user views '
'the attachment warning page without requiring any '
'interaction. A related flaw, CVE-2026-54433, exploits '
'Roundcube’s plain-text rendering engine, silently executing '
'malicious scripts when a victim reads an email in plain-text '
'mode. Additional fixes include patches for a TNEF decoder '
'infinite loop (DoS), password plugin session-injection flaws, '
'SSRF bypasses, and a DoS vulnerability in compressed-RTF '
'attachments. The update also resolves stability issues like '
'OAuth password claim retrieval errors, vCard 2.1 import bugs, '
'and Imagick temporary file leaks.',
'impact': {'identity_theft_risk': 'High (session hijacking, credential theft)',
'operational_impact': 'Potential session hijacking, unauthorized '
'mailbox access',
'systems_affected': 'Roundcube webmail instances'},
'investigation_status': 'Vulnerabilities patched',
'lessons_learned': 'Webmail platforms are prime targets for credential theft '
'and session hijacking; zero-click vulnerabilities require '
'immediate patching.',
'motivation': 'Credential theft, session hijacking, unauthorized mailbox '
'access',
'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities, '
'improving input validation, '
'and addressing stability '
'issues.',
'root_causes': 'Critical zero-click XSS '
"vulnerabilities in Roundcube's "
'MIME type handling and plain-text '
'rendering engine.'},
'recommendations': 'Prioritize patching to Roundcube 1.7, especially for '
'externally exposed instances. Conduct full data backups '
'before applying updates.',
'references': [{'source': 'Roundcube Security Advisory'},
{'source': 'Bohdan Kurinnoy (Samsung R&D Institute Ukraine)'}],
'response': {'communication_strategy': 'Urged administrators to prioritize '
'the update for externally exposed '
'instances',
'containment_measures': 'Release of patched version (1.7)',
'remediation_measures': 'Patching to Roundcube 1.7, full data '
'backup recommended before patching'},
'stakeholder_advisories': 'Administrators urged to update to Roundcube 1.7 '
'immediately.',
'title': 'Roundcube Patches Critical Zero-Click XSS Vulnerabilities in '
'Version 1.7',
'type': 'Zero-Click XSS, DoS, SSRF, Session Injection',
'vulnerability_exploited': ['CVE-2026-54432',
'CVE-2026-54433',
'TNEF decoder infinite loop',
'Password plugin session-injection flaws',
'SSRF bypasses',
'DoS in compressed-RTF attachments']}