Emergency: Update Roundcube Webmail to Versions 1.6.14 Immediately
Emergency: Update Roundcube Webmail to Versions 1.6.14 Immediately
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Emergency: Update Roundcube Webmail to Versions 1.6.14 Immediately
Roundcube Patches Eight Security Flaws Across Versions 1.6.14 | 1.5.14 and 1.7 RC5
A coordinated release on 18 March 2026 closes a pre-authentication file-write flaw, a silent password-change bug, IMAP injection, remote-image bypasses, and more — as nation-state actors continue to target the popular open-source webmail platform.
The Roundcube development team strongly recommends updating all production installations of Roundcube 1.6.x and 1.5.x immediately. Back up your data before applying the update.
The Roundcube project released security updates on 18 March 2026, issuing versions 1.6.14, 1.5.14, and 1.7 RC5 simultaneously. All three packages carry the same set of eight security fixes, addressing vulnerabilities reported by independent researchers spanning pre-authentication server compromise to client-side cross-site scripting.
Roundcube remains one of the most widely deployed open-source webmail platforms, used by universities, governments, and hosting providers worldwide. That ubiquity has made it a persistent target for both opportunistic attackers and advanced persistent threat (APT) groups. This release resolves the largest batch of concurrent vulnerabilities the project has disclosed in a single update cycle in recent memory.
Affected & Updated Versions
Users unable to migrate to the 1.6.x branch should apply the 1.5.14 LTS update. The 1.7 release candidate is not recommended for production environments, but the same patches have been included to ensure no regressions appear in the forthcoming stable release.
Vulnerability Breakdown
The following eight vulnerabilities were addressed in this release. Reporters are credited as disclosed in the official GitHub changelog.
| Vulnerability | Severity | Reporter |
|---|---|---|
| Pre-auth arbitrary file write via unsafe deserialization in Redis/Memcache session handler | Critical | y0us |
| Password change without requiring the old password | Critical | flydragon777 |
| IMAP Injection + CSRF bypass in mail search functionality | High | Martila Security Research Team |
Remote image blocking bypass via various SVG animate attributes |
High | nullcathedral |
Remote image blocking bypass via crafted body background attribute |
High | nullcathedral |
Fixed-position mitigation bypass via !important CSS rule |
Medium | nullcathedral |
| XSS in HTML attachment preview | High | aikido_security |
| SSRF + Information Disclosure via stylesheet links to local network hosts | High | Georgios Tsimpidas (Frey), i0.rs |
The Most Dangerous Flaw: Pre-Auth File Write
The highest-severity vulnerability in this batch allows an unauthenticated attacker to write arbitrary files to the server. The flaw originates from unsafe deserialization within Roundcube’s session handling code when Redis or Memcache is configured as the session backend. Because exploitation requires no credentials, a successful attack can serve as a foothold for remote code execution — making it especially dangerous on publicly exposed installations.
“Attackers could write malicious files to the server before ever logging in — a classic precursor to full remote code execution.”
Pre-auth File Write — CVE pending · Redis/Memcache Session HandlerRemote Image Blocking Bypasses
Roundcube includes a feature to block the automatic loading of remote images in emails, primarily to prevent tracking pixels from revealing when a message is opened. Researcher nullcathedral identified three distinct methods to circumvent this protection, all now resolved in this update:
The first two involve SVG markup — specifically abusing the animate
element’s attributes to trigger outbound image requests even when remote loading
is nominally blocked. The third exploits a specially crafted body background
attribute in the email’s HTML body. A fourth bypass using CSS !important
to defeat Roundcube’s fixed-position element mitigation was also reported by the same
researcher and has been patched.
Account and Session-Level Vulnerabilities
A particularly serious logic flaw allowed an attacker with temporary session access — gained through phishing, session theft, or a shared device — to change a target account’s password without knowing the current credential. This effectively allowed permanent account takeover from a transient foothold.
The IMAP injection plus CSRF bypass combination is similarly impactful. IMAP injection allows an attacker-controlled payload embedded in search parameters to issue arbitrary IMAP commands against the backend mail server. When combined with a CSRF bypass in the same search endpoint, this could be exploited cross-origin without user interaction beyond visiting a malicious page.
The XSS vulnerability in HTML attachment previews enables script execution in the victim’s browser within the Roundcube origin, potentially exfiltrating email content or session tokens. The SSRF flaw via stylesheet link injection could be used to probe internal network topology — a technique commonly used in post-compromise lateral movement.
A Recurring Target of State-Sponsored Actors
The timing of this patch release reflects a broader pattern: Roundcube has become one of the most actively exploited webmail platforms by sophisticated nation-state adversaries. Two groups in particular have waged sustained campaigns against it.
Winter Vivern exploited the zero-day XSS flaw CVE-2023-5631 against Roundcube Webmail servers of governmental entities and a think tank in Europe. The group used spear-phishing emails containing a specially crafted SVG attachment that, when viewed in Roundcube, silently executed malicious JavaScript to exfiltrate email content.
APT28, attributed to Russia’s GRU military intelligence directorate, ran a campaign dubbed Operation RoundPress, exploiting XSS vulnerabilities including CVE-2023-5631 against Ukrainian government agencies and defense companies. Their purpose-built toolkit included modules for bulk email exfiltration and, notably, a capability to bypass two-factor authentication in targeted Roundcube deployments.
In some cases, both Winter Vivern and APT28 were found to have independently targeted the same Roundcube servers using the same underlying vulnerability — underscoring the platform’s prominence as an intelligence collection target.
What Administrators Should Do
The Roundcube team recommends that all administrators running production installations upgrade immediately. Installations using Redis or Memcache as the session backend are at heightened risk given the pre-authentication file-write flaw and should be prioritized.
Before updating, administrators should take a complete backup of the Roundcube installation directory and database. Post-update, session stores (Redis/Memcache keys) should be flushed to invalidate any sessions that may have been compromised. Organizations relying on Roundcube for sensitive communications — particularly those in government, defense, or critical infrastructure — should treat this update as urgent.
