Roundcube Releases Emergency Security Updates 1.6.16 & 1.7.1 — Patch Now
Roundcube Releases Emergency Security Updates 1.6.16 & 1.7.1 — Patch Now
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Roundcube Releases Emergency Security Updates 1.6.16 & 1.7.1 — Patch Now
The Roundcube project shipped critical security fixes on May 24, 2026, patching eight vulnerabilities across pre-auth SQL injection, code injection, arbitrary file deletion, and more. Users on 1.6.15 are directly exposed and should act immediately.
Fact-check verdict: Mostly accurate with one important correction. The core claim — that Roundcube published emergency security updates on May 24, 2026 — is confirmed and accurate. The release is real, the vulnerability categories are real, and the urgency is warranted. However, one detail requires correction: the original description calls these vulnerabilities “pre-authentication SQL injection, code injection, and arbitrary file deletion” as though they are three isolated high-risk flaws. In reality, the official changelog lists eight distinct security fixes, including stored XSS, CSS injection bypass, SSRF bypass, and remote image blocking bypass — a broader attack surface than the summary suggests.
Correction: The “pre-auth SQL injection” specifically refers to a bypass in the virtuser_query plugin via a preg_replace backslash escape — it is plugin-scoped, not a core engine flaw. Installations not using the virtuser_query plugin are not affected by that specific CVE. The remaining vulnerabilities (XSS, SSRF, code injection via LDAP, file deletion via session poisoning) affect the core and are broadly applicable. The framing of exactly three flaws understates the actual patch scope.
What Happened: Official Release Confirmed
On May 24, 2026, the Roundcube development team published simultaneous security updates for both the 1.6 LTS branch (version 1.6.16) and the 1.7 stable branch (version 1.7.1). The announcement was made on the official Roundcube website and the GitHub releases page.
The official changelog lists eight security fixes patched in both releases:
- Stored XSS / HTML / CSS injection in the subject field of the draft restore dialog (reported by zazy)
- CSS injection bypass in the HTML sanitizer via SVG
<animate attributeName="style">(reported by wooseokdotkim) - Pre-auth SQL injection in the
virtuser_queryplugin viapreg_replacebackslash escape bypass (reported by skull) - SSRF bypass via specific local address URLs
- Local / private URL fetch bypass when remote resources were not allowed (reported by Orange Cyberdefense VDT)
- Remote image blocking bypass via CSS
var()(reported by Geame) - Pre-auth arbitrary file deletion via Redis / Memcache session poisoning bypass (reported by valent1)
- Code injection vulnerability — removal of code evaluation support in the LDAP
autovaluesoption (reported by Glendaenri)
The Roundcube team states: “We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.7.x with these new versions.”
Is an Upgrade from 1.6.15 Necessary?
Yes — upgrading is strongly recommended for any production server. Version 1.6.15 is directly exposed to all eight vulnerabilities listed above. Several of them are pre-authentication issues, meaning an attacker does not need a valid login to exploit them. The SSRF, CSS injection, and image-blocking bypasses can be triggered by a crafted email alone; the session-poisoning file deletion does not require any user interaction beyond the server being reachable.
There is no indication from the Roundcube project that a compensating control or WAF rule exists as an alternative — the fix is in the application code itself, and the only supported remediation is upgrading.
Two Upgrade Paths: Which Is Right for You?
Option A — Upgrade to 1.6.16
- Pure security patch, no new features
- No web server (Nginx / Apache) reconfiguration needed
- No PHP version change required
- Compatible with all existing 1.6.x plugins
- Completable in under 10 minutes with a backup
- Recommended by the project for LTS users
Option B — Upgrade to 1.7.1
- New features: Markdown email, hover shortcut menu
- Requires DocumentRoot →
public_html/change in Nginx / Apache - Drops PHP < 8.1 (Debian 12 ships PHP 8.2 ✔)
- Removes MS SQL and Oracle DB support
- Third-party plugins may need compatibility review
- Plan for 30–60 min including testing
How to Upgrade from 1.6.15 to 1.6.16 (Debian 12)
Step 1 — Back everything up first
# Back up the Roundcube files sudo cp -a /var/www/roundcube /var/www/roundcube.bak.$(date +%Y%m%d) # Back up the database (adjust credentials as needed) mysqldump -u roundcube -p roundcube > ~/roundcube_db_backup_$(date +%Y%m%d).sql
Step 2 — Download the 1.6.16 release
cd /tmp wget https://github.com/roundcube/roundcubemail/releases/download/1.6.16/roundcubemail-1.6.16-complete.tar.gz wget https://github.com/roundcube/roundcubemail/releases/download/1.6.16/roundcubemail-1.6.16-complete.tar.gz.asc # Verify GPG signature (recommended) gpg --verify roundcubemail-1.6.16-complete.tar.gz.asc roundcubemail-1.6.16-complete.tar.gz tar -xzf roundcubemail-1.6.16-complete.tar.gz
Step 3 — Run the built-in installer / updater
# Copy new files over the existing installation, preserving your config sudo rsync -av --exclude='config/config.inc.php' \ --exclude='logs/' --exclude='temp/' \ /tmp/roundcubemail-1.6.16/ /var/www/roundcube/ # Fix ownership sudo chown -R www-data:www-data /var/www/roundcube
Step 4 — Run the database migration script
cd /var/www/roundcube php bin/updatedb.sh --package=roundcube --dir=SQL
Step 5 — Clear cache and verify
# Clear Roundcube's internal cache sudo -u www-data php /var/www/roundcube/bin/clearcache.sh # Confirm the version grep 'version' /var/www/roundcube/index.php | head -3
After completing these steps, log in to Roundcube in a browser and confirm the version shown in Settings → About is 1.6.16. Check your web server error logs for any anomalies.
Remove the installer directory if it still exists:
sudo rm -rf /var/www/roundcube/installer
Summary & Recommendations
- The original information you received is substantially correct. Roundcube did release security updates 1.6.16 and 1.7.1 on May 24, 2026, patching serious vulnerabilities including pre-auth file deletion, SQL injection, code injection, and XSS.
- The claim slightly understated the scope — there are eight distinct fixes, not just three categories.
- Do not stay on 1.6.15 in production. At least two of the vulnerabilities are pre-authentication and require no valid user account to exploit.
- If you value stability and speed: upgrade to 1.6.16 today — it requires no server reconfiguration and takes minutes.
- If you want new features and have time to modify your DocumentRoot and test plugins: upgrade to 1.7.1, but plan for the
public_html/web root change.
