Roundcube has introduced version 1.7 to tackle six security vulnerabilities, prominently two critical zero-click stored cross-site scripting (XSS) flaws. These vulnerabilities can be exploited without user interaction, emphasizing the urgent need for this update.
Zero-Click Vulnerabilities in Roundcube
The most concerning issue, identified as CVE-2026-54432, involves a stored XSS vulnerability. This flaw is triggered by unescaped MIME type attachments on a warning page, allowing attackers to execute arbitrary JavaScript in the victim’s session. This attack vector does not require user interaction, making it a genuine zero-click threat.
Another related vulnerability, CVE-2026-54433, affects the plain-text rendering engine of Roundcube. This flaw enables attackers to inject malicious scripts into emails, which execute when a message is viewed in plain-text mode, bypassing typical user detection methods.
Detailed Analysis of Other Security Fixes
The security update also addresses several other vulnerabilities. These include an infinite loop issue in the TNEF decoder that could lead to denial-of-service (DoS) conditions, reported by stafra. Additionally, multiple vulnerabilities in the password plugin were identified by Glendaenri and peppersghost, alongside SSRF bypass cases found by Leenear.
Moreover, the update resolves a DoS vulnerability caused by crafted compressed-RTF size values within TNEF attachments, discovered by h0rk1p. These issues highlight the ongoing need for vigilance and rapid response to security threats in webmail systems.
Importance of Immediate Update and Mitigation Strategies
Due to the zero-click nature of these XSS vulnerabilities, organizations using Roundcube should prioritize this update over regular maintenance schedules. Exploitation of CVE-2026-54432 or CVE-2026-54433 could result in session hijacking or credential theft, with attackers gaining unauthorized mailbox access without any user interaction beyond normal email viewing.
Roundcube’s advisory strongly recommends updating all production systems and performing comprehensive data backups before implementing the patch. Administrators managing self-hosted webmail instances, particularly those accessible by external users, should treat this as an urgent priority due to the ease of exploitation these flaws present.
Overall, this update not only addresses critical security issues but also includes several stability enhancements, such as improved handling of HEAD requests in static.php, corrected OAuth password claim retrieval, resolution of specific Range request errors, and fixes for loading issues with certain skin logos.
