Roundcube Flaws Raise Webmail Security Alarm Arabian Post

(MENAFN- The Arabian Post) clearfix"> Roundcube Webmail administrators are being pressed to install emergency updates after maintainers fixed a set of security flaws that could expose email systems to database manipulation, script injection, server-side request forgery and other attacks.

Versions 1.6.16 and 1.7.1, released on 24 May 2026, address vulnerabilities affecting the 1.6 long-term support line and the 1.7 branch. The most closely watched issue is a pre-authentication SQL injection flaw in the virtuserquery plugin, where a backslash escape bypass in pregreplace could allow attackers to run malicious database queries before logging in.

The flaw, tracked as CVE-2026-48842, affects Roundcube Webmail 1.6. x before 1.6.16 and 1.7. x before 1.7.1. Its pre-authentication nature raises the risk profile because exposed installations may be targeted without an attacker first needing valid credentials. SQL injection weaknesses can be used to probe user data, alter records or chain attacks with other weaknesses depending on database privileges and server configuration.

Roundcube's maintainers also patched a stored XSS, HTML and CSS injection issue in the subject field of the draft restore dialogue. That vulnerability, CVE-2026-48849, could be triggered in shared mailbox settings where maliciously crafted message data is rendered to another user. While its severity is lower than the SQL injection bug, stored XSS remains a serious concern for webmail platforms because attackers often use it to hijack sessions, steal credentials or manipulate mailbox content.

Another fixed flaw involves insufficient CSS sanitisation in HTML email messages. The weakness could lead to server-side request forgery or information disclosure when stylesheet links point towards local network hosts. Such issues are especially sensitive in hosted email environments because a webmail server may have access to internal services that are not reachable from the public internet.

See also Salat stealer sharpens Windows intrusion playbook

The update also addresses an SSRF bypass through specific local address URLs, a local or private URL fetch bypass when remote resources are disabled, and a bypass of remote image blocking through CSS variables. Remote content restrictions are a core privacy control in webmail clients, helping prevent tracking pixels, information leaks and silent requests triggered when a user views a message.

A separate pre-authentication arbitrary file deletion vulnerability linked to redis or memcache session poisoning has also been fixed. Roundcube further removed support for code evaluation in the LDAP autovalues option to close a code injection route. Together, the patches point to a broad hardening effort across message rendering, authentication-adjacent plugins, session handling and directory integration.

Roundcube is widely deployed as a browser-based IMAP client and is commonly bundled in shared hosting environments. Its PHP code base supports MariaDB, MySQL, PostgreSQL and SQLite, and its plugin system allows hosting providers and enterprises to customise deployments. That flexibility also means exposure varies sharply depending on installed plugins, enabled features and hosting architecture.

The advisory recommends updating all production installations running Roundcube 1.6. x or 1.7. x. Administrators using distribution-packaged builds should check whether their operating system vendor has backported the fixes, as version numbers in Linux repositories can differ from upstream release numbering. Debian security tracking shows fixed packages for affected Roundcube builds in supported release channels, underscoring the need to follow vendor advisories rather than relying only on upstream package labels.

Security teams should prioritise internet-facing Roundcube instances, shared hosting panels and deployments used by journalists, government offices, law firms, financial firms and civil society groups. Webmail servers are attractive targets because they sit close to sensitive communications, password reset flows, contact lists and internal attachments. Compromise of one mailbox can give attackers a route into wider fraud, espionage or business email compromise campaigns.

See also Hosting panels face root takeover wave

Roundcube has been targeted repeatedly in previous cyber-espionage and credential-theft operations. Attackers have used crafted emails, malicious HTML, XSS payloads and server-side vulnerabilities to obtain mailbox access, harvest address books, steal session data and set forwarding rules. That history gives fresh Roundcube flaws immediate operational significance, even when proof of exploitation for a newly disclosed issue has not been publicly established.

Administrators should confirm the installed version, identify whether virtuser_query or related plugins are enabled, review logs for suspicious unauthenticated requests, and inspect outbound server traffic that may indicate SSRF activity. Mail server operators should also check for unexpected forwarding rules, new filters, unexplained login patterns and unusual database errors around the disclosure window.

MENAFN28052026000152002308ID1111180330