Roundcube Webmail 1.7.2 Fixes Critical Zero-Click XSS: Immediate Patching Urgent

Roundcube has released version 1.7.2 addressing six security vulnerabilities, including CVE-2026-54433, a critical zero-click stored XSS flaw that executes malicious payloads automatically when users view plain-text emails. Enterprise administrators must patch immediately.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region3 min read
System administrator reviewing Roundcube webmail interface with security alert notification, representing CVE-2026-54433 zero-click XSS vulnerability patching requirements

System administrator reviewing Roundcube webmail interface with security alert notification, representing CVE-2026-54433 zero-click XSS vulnerability patching requirements

Roundcube has released version 1.7.2, a security-focused update addressing six vulnerabilities that pose immediate risks to global webmail deployments. The release was pushed by maintainer alecpl on July 5, 2026, with urgent guidance that all production systems update immediately after backing up configuration and database files.

Critical Zero-Click Stored XSS (CVE-2026-54433)

The most severe issue is tracked as CVE-2026-54433, a stored cross-site scripting (XSS) vulnerability in Roundcube's plain-text rendering engine. Unlike typical XSS flaws that require user interaction, this vulnerability executes automatically when a victim simply views an email message.

An attacker can embed malicious payloads directly in plain-text emails. When a victim opens the message, the payload executes in the webmail context, potentially stealing session cookies, redirecting users to credential-harvesting sites, or performing unauthorized actions on behalf of the user. This removes critical protective layers since no link clicks or attachment downloads are required.

Attachment Handling XSS (CVE-2026-54432)

A second stored XSS flaw, tracked as CVE-2026-54432, involves unescaped attachment MIME type data displayed on the attachment-validation warning page. This exploit requires slightly more user interaction but operates through the same output-sanitization gap as the zero-click flaw. Both CVEs were reported by Bohdan Kurinnoy of Samsung R&D Institute Ukraine (SRUKR), highlighting a pattern of insufficient output sanitization in Roundcube's rendering pipeline.

SSRF Bypass Vulnerabilities

Researcher Leenear identified two new bypass techniques for Roundcube's Server-Side Request Forgery (SSRF) protections. These involve specially crafted local-address URLs that circumvent the application's local-address filtering logic.

SSRF vulnerabilities typically allow attackers to coerce a server into making unauthorized internal network requests, exposing internal services, cloud metadata endpoints, or sensitive API functions. This second round of SSRF bypass fixes suggests that the underlying validation approach may require an architectural review rather than incremental patching.

Denial-of-Service Flaws in Email Parsing

Version 1.7.2 also addresses two separate denial-of-service (DoS) vulnerabilities in Roundcube's TNEF decoder, which parses Microsoft Outlook's proprietary winmail.dat attachment format:

  • Infinite Loop Condition (Issue #10193): Reported by stafra, an attacker can craft a TNEF attachment designed to hang server resources, exhausting CPU and memory on the Roundcube server.
  • Resource Exhaustion: Reported by h0rk1p, this flaw involves a crafted compressed-RTF size field within TNEF attachments that triggers resource exhaustion during decompression.

Session Injection Risks in Password Plugin

Separate vulnerabilities in the password plugin are tied to session-injected usernames. This flaw could allow attackers to manipulate password-change requests using attacker-controlled session data, a risk that is heightened if user sessions are not properly isolated.

General Fixes and Improvements

Beyond security patches, version 1.7.2 includes several operational improvements:

  • Added a HEAD request handler to static.php to properly support range requests.
  • Corrected OAuth password-claim retrieval logic and resolved a 416 error on ranged requests.
  • Fixed skin logo loading failures.
  • Addressed improper vCard 2.1 line unfolding during contact imports.
  • Resolved temporary file leakage in Imagick on failure conditions.

Recommended Action for Administrators

Given the zero-click nature of CVE-2026-54433, administrators managing multi-tenant or high-visibility webmail deployments face elevated risk. A single malicious email could compromise sessions across an organization without any user interaction.

Organizations should prioritize this update over routine patch cycles. Before upgrading, back up all configuration and database files, and verify plugin compatibility, particularly for the password plugin given the session-handling changes in this release.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.