Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
Key Takeaways Roundcube has released version 1.7 to address six security vulnerabilities, including two critical zero-click stored Cross-Site Scripting (XSS) flaws. The most severe issues,...
Key Takeaways
- Roundcube has released version 1.7 to address six security vulnerabilities, including two critical zero-click stored Cross-Site Scripting (XSS) flaws.
- The most severe issues, CVE-2026-54432 and CVE-2026-54433, allow attackers to inject malicious scripts without user interaction, potentially leading to session hijacking or credential theft.
- These vulnerabilities were discovered by researchers, including Bohdan Kurinnoy of Samsung R&D Institute Ukraine.
- The update also resolves several other security concerns, such as denial-of-service conditions and SSRF bypasses.
- Immediate patching is strongly recommended for all Roundcube installations, especially those in production environments.
Critical Roundcube 0-Click Vulnerability Patched
Roundcube, a widely used webmail client, has issued a vital security update, version 1.7, to mitigate six identified vulnerabilities. This release is particularly crucial as it addresses two severe stored Cross-Site Scripting (XSS) flaws that can be exploited with zero user interaction, posing a significant risk to user data and session integrity.
Table Of Content
The patches incorporate findings from various researchers, notably those from the Samsung R&D Institute Ukraine (SRUKR), and come with an urgent recommendation for immediate implementation across all operational environments.
Zero-Click XSS Exploits Detailed
The most pressing vulnerability, identified as CVE-2026-54432, is a stored XSS flaw. This vulnerability arises from the webmail client’s failure to properly escape an attachment’s MIME type when displayed on the attachment-validation warning page. An attacker can craft a malicious MIME type string that, when rendered by an unsuspecting victim’s browser, executes arbitrary JavaScript within their session. Crucially, this exploit requires no user interaction—the malicious script activates simply by the warning page loading, classifying it as a genuine zero-click attack.
A related vulnerability, CVE-2026-54433, also presents a zero-click stored XSS risk, specifically impacting Roundcube’s plain-text rendering engine. This flaw enables attackers to embed malicious scripts directly into emails. When a victim views such an email in plain-text mode, the script executes silently, bypassing typical visual cues that might alert users to suspicious content. Both of these critical vulnerabilities were reported by Bohdan Kurinnoy of Samsung R&D Institute Ukraine, underscoring the ongoing focus of security researchers on webmail platforms as attractive targets for credential theft and session hijacking operations.
Additional Security Enhancements
Beyond the critical XSS issues, Roundcube 1.7 introduces fixes for several other security vulnerabilities:
- An infinite loop within the TNEF (winmail.dat) decoder, which could be exploited to trigger denial-of-service (DoS) conditions, a discovery attributed to stafra.
- Multiple vulnerabilities in the password plugin, stemming from session-injected usernames, identified by Glendaenri and peppersghost.
- Two new Server-Side Request Forgery (SSRF) bypass cases related to specific local address URLs, reported by Leenear.
- A DoS vulnerability exploitable through crafted compressed-RTF size values embedded within TNEF attachments, brought to light by h0rk1p.
In addition to these security patches, the update also includes various stability improvements. These cover proper handling of HEAD requests in static.php, refined OAuth password claim retrieval logic, resolution of a 416 error for specific Range requests, and fixes for issues affecting skin logo loading. Furthermore, the release addresses vCard 2.1 import bugs, prevents Imagick temporary file leaks upon failure, and optimizes excessive session updates under Redis/Memcache configurations.
What You Should Do
Given the zero-click nature of the critical XSS vulnerabilities, organizations utilizing Roundcube must prioritize this update above routine patch cycles. Exploitation of CVE-2026-54432 or CVE-2026-54433 could lead to severe consequences, including session hijacking, credential theft, or unauthorized access to mailboxes, all without requiring any direct interaction from the victim beyond viewing an email.
Roundcube’s advisory explicitly recommends that all production installations be updated immediately, advising a full data backup before applying the patch. Administrators managing self-hosted webmail instances, particularly those accessible to external users, should consider this an urgent security mandate due to the low barrier to exploitation these flaws present.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.