Roundcube 0-Click Vulnerability Enables Stored XSS Attack via MIME Type Attachment

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Roundcube has released version 1.7 to patch six security vulnerabilities, including two critical stored cross-site scripting (XSS) flaws that require zero user interaction to exploit.

The update addresses issues discovered by researchers at Samsung R&D Institute Ukraine (SRUKR), among others, and comes with a strong recommendation for immediate deployment across production environments.

Roundcube 0-Click Vulnerability

The most severe issue, tracked as CVE-2026-54432, involves a stored XSS vulnerability triggered by an unescaped attachment MIME type displayed on the attachment-validation warning page.

An attacker can craft a malicious MIME type string that, when rendered without proper sanitization, executes arbitrary JavaScript in the victim’s session. Since the payload fires when the warning page loads, no click or download action is needed, making this a genuine zero-click attack vector.

A closely related flaw, CVE-2026-54433, affects Roundcube’s plain-text rendering engine. This zero-click stored XSS lets attackers inject malicious script into emails that execute silently when a victim simply views a message in plain-text mode, bypassing the visual cues users typically rely on to spot suspicious content.

Both vulnerabilities were reported by Bohdan Kurinnoy of Samsung R&D Institute Ukraine, highlighting continued security research interest in webmail platforms as high-value targets for credential theft and session hijacking.

Other Security Fixes

Roundcube 1.7 also resolves:

  • An infinite loop in the TNEF (winmail.dat) decoder that could enable denial-of-service (DoS) conditions, reported by stafra.
  • Multiple vulnerabilities in the password plugin stemming from session-injected usernames, flagged by Glendaenri and peppersghost.
  • Two new SSRF bypass cases involving specific local address URLs, discovered by Leenear.
  • A DoS vulnerability triggered by crafted compressed-RTF size values within TNEF attachments, reported by h0rk1p.

Beyond the security patches, this release includes several stability fixes: proper HEAD request handling in static.php, corrected OAuth password claim retrieval logic, resolution of a 416 error on specific Range requests, and fixes for broken skin logo loading.

The update also addresses vCard 2.1 import bugs, Imagick temporary file leaks on failure, and excessive session updates under Redis/Memcache configurations.

Mitigations

Given the zero-click nature of both XSS vulnerabilities, organizations running Roundcube should prioritize this update over routine patch cycles. Attackers exploiting CVE-2026-54432 or CVE-2026-54433 could achieve session hijacking, credential theft, or unauthorized mailbox access without any victim interaction beyond normal email viewing.

Roundcube’s advisory explicitly recommends updating all production installations and performing a full data backup before applying the patch.

Administrators managing self-hosted webmail instances, particularly those exposed to external users, should treat this as an urgent action item, given the low barrier to exploitation these flaws present.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide