Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws.
Including a critical pre-authentication SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in.
The issues affect Roundcube versions 1.6. x and 1.7. x, which are widely used across enterprise and hosting environments.
The vulnerability, discovered by researcher “skull,” affects the virtuser_query plugin. It stems from improper input sanitization in a preg_replace function, allowing attackers to bypass backslash-escaping protections.
This flaw enables threat actors to inject malicious SQL queries before authentication, potentially exposing sensitive email data, user credentials, and system configurations.
Security experts warn that pre-auth SQL injection flaws are particularly dangerous because they do not require valid user access.
In real-world attacks, adversaries could exploit this issue to extract mailbox contents, escalate privileges, or pivot deeper into internal infrastructure.
Roundcube Webmail Vulnerability
In addition to the SQL injection flaw, Roundcube addressed several other high-impact vulnerabilities in versions 1.6.16 and 1.7.1.
These include stored cross-site scripting (XSS) and HTML/CSS injection issues that could allow attackers to execute malicious scripts through manipulated email content or draft messages.
Another notable fix involves a CSS-injection bypass using SVG elements, specifically via the <animate> tag, which manipulates style attributes.
This could allow attackers to evade sanitization filters and execute unauthorized code in a victim’s browser session. Server-side request forgery (SSRF) protections were also strengthened.
Researchers identified bypass techniques using specially crafted local URLs that allowed access to restricted internal resources.
Additionally, flaws in remote image-blocking mechanisms were patched, allowing attackers to exploit CSS variables to load external content and potentially track users.
A particularly severe issue involved arbitrary file deletion through session poisoning in Redis or Memcache configurations.
This vulnerability could allow attackers to manipulate session data and delete critical files on the server.
Another fix removed unsafe code-evaluation functionality from the LDAP autovalues option, eliminating a potential code-injection vector that could lead to remote code execution in certain configurations.
Roundcube maintainers have released patched versions 1.6.16 and 1.7.1 and strongly recommend immediate updates for all production environments.
Given the combination of pre-auth SQL injection and multiple bypass techniques, unpatched systems present a significant attack surface.
Organizations using Roundcube in shared hosting, enterprise email systems, or cloud deployments should prioritize patching and review logs for suspicious activity.
Monitoring database queries, unusual HTTP requests, and unauthorized file operations can help detect potential exploitation attempts.
With webmail platforms remaining a prime target for attackers, this incident highlights the importance of timely patch management and secure configuration practices to prevent data breaches and service compromise.
