Roundcube 1.7.2 Fixes Zero-Click XSS, SSRF Bypass — Urgent Patch for Webmail Servers
Roundcube has released version 1.7.2, a security-focused update that patches multiple high-impact vulnerabilities affecting the popular open-source webmail client.
The update addresses a critical zero-click stored cross-site scripting (XSS) flaw, additional stored XSS issues tied to attachment handling, two server-side request forgery (SSRF) bypass techniques, and several bugs in the password plugin and TNEF parsing that together could lead to account compromise, privilege escalation, denial-of-service, or data exfiltration.
Administrators are urged to treat 1.7.2 as a priority security upgrade for all production deployments and to back up configurations before applying the release.
Roundcube 1.7.2 Fixes Zero-Click XSS, SSRF Bypass
The most severe fix in 1.7.2, tracked as CVE-2026-54433, closes a zero-click stored XSS vulnerability in Roundcube’s plain-text email rendering.
An attacker can craft an email whose embedded payload executes automatically when the message is rendered in the webmail client, no user interaction required.
Because the exploit triggers on view rather than on user clicks, it raises the risk profile dramatically: successful exploitation can enable session hijacking, credential theft, or arbitrary actions within the victim’s authenticated webmail session.
The ease of exploitation and the stealthy nature of zero-click bugs make CVE-2026-54433 especially dangerous in high-volume mail gateways and shared hosting environments.
A separate stored XSS, CVE-2026-54432, stems from insufficient sanitization of attachment MIME types on the attachment validation warning page.
Attackers can weaponize specially crafted attachments that bypass validation and cause script execution when users engage with warning prompts.
Because attachment handling is a common user action, this weakness provides an additional, practical vector for delivering persistent client-side payloads.
Roundcube 1.7.2 also mitigates two SSRF bypass techniques that exploit URL-parsing edge cases. By manipulating request targets, an attacker running within the webmail context can coerce the server into making HTTP requests to internal or restricted resources.
SSRF in webmail is particularly concerning: it can be used to pivot into back-end services, retrieve instance metadata on cloud-hosted systems, or interact with internal management APIs that should not be exposed to untrusted actors.
The release further addresses multiple security issues in Roundcube’s password plugin related to session-injected usernames.
Under specific conditions, these weaknesses could enable unauthorized password changes or privilege escalation, undermining account integrity.
Additional fixes close a denial-of-service vector involving crafted compressed RTF data inside TNEF (winmail.dat) attachments, exploitation could cause excessive resource consumption or service disruption, and correct an infinite loop in the TNEF decoder that could hang mail parsing processes.
Beyond security patches, 1.7.2 includes stability and performance improvements: corrections to the static.php handler, improved OAuth claim handling, fixes for Range request processing, and bug resolutions for vCard imports, session storage behavior, and Imagick temporary file handling.
The maintainers classify the release as stable and advise operators to test upgrades in staging where possible, then deploy promptly.
A practical exploitation scenario illustrates the stakes: an attacker sends a specially crafted message containing the zero-click XSS payload to a target.
When the recipient opens the message in a vulnerable Roundcube instance, the payload executes silently, giving the attacker an active session token or the ability to perform mailbox actions without visible signs.
Given Roundcube’s wide adoption across enterprises and hosting providers, unpatched instances represent attractive targets for opportunistic and targeted attackers alike.
Mitigation recommendations: upgrade to Roundcube 1.7.2 immediately; apply web application hardening (content security policy, HTTP-only and secure cookies, same-site attributes); enforce strict email and attachment filtering at the gateway; monitor logs for anomalous internal requests that could indicate SSRF attempts; and rotate credentials if compromise is suspected.
Administrators should consult the official Roundcube release notes for detailed remediation steps and follow standard change-management practices during deployment.
No Comment! Be the first one.