Roundcube has released versions 1.7.2 and 1.6.17, delivering critical security patches for the widely deployed self-hosted webmail client. The update resolves multiple high-severity vulnerabilities, including a zero-click stored XSS flaw, an SSRF bypass, and several password plugin misconfigurations involving session-injected usernames. Findings from independent researchers and Samsung R&D highlight the increasingly active threat landscape surrounding the PHP-based IMAP bridge, prompting the team to recommend an immediate production rollout. Administrators are advised to back up their data and follow the official upgrade guide to mitigate risks before the next targeted exploit window closes.
Roundcube ships 1.7.2 and 1.6.17 security patches for webmail admins
Zero-click XSS, SSRF bypasses, and a handful of password plugin flaws push Roundcube admins to update now.
Roundcube has released 1.7.2 and 1.6.17, both packed with security fixes for the widely deployed self-hosted webmail client. If you're running Roundcube in production, the team says it's time to update. Back up your data first, obviously.
The update addresses six distinct vulnerability classes. There's a stored XSS via unescaped attachment MIME types on the validation warning page, plus a zero-click variant hidden in plain-text rendering. Two new SSRF bypass cases slip past the local address restrictions, and the password plugin gets a thorough scrubbing for session-injected username flaws. On top of that, the TNEF decoder gets an infinite loop fix and a crafted compressed-RTF denial-of-service vector gets patched.
The volume of researchers credited here says something about how active this codebase has become. Samsung R&D Institute Ukraine, Orange Cyberdefense, and several independent security researchers all fed findings directly into the changelog. It's been a busy patch cycle for Roundcube. May brought another round of fixes that tackled pre-auth SQLi, CSS injection, and session poisoning. This week's release just closes more of the obvious doorways.
What changed outside the CVEs
Beyond the headline vulnerabilities, the changelog includes a handful of maintenance wins that most admins will quietly appreciate. The static.php file now handles HEAD requests, stops throwing 416 errors on specific Range headers, and finally loads the configured skin logo without returning a 404. The OAuth password claim gets pulled via token or userinfo request, OIDC backchannel logout handles untyped tokens, and the Redis and Memcache session drivers stop updating more often than they need to.
Not exactly sexy. It keeps the gears turning.
It's a rather dense release for a patch Tuesday, though that's par for the course when you're shipping a full-stack IMAP bridge written in PHP. The zero-click XSS alone is enough to warrant an immediate rollout. If you're hosting Roundcube for a university, a government entity, or a shared cPanel environment, leaving this sitting is a gamble you probably don't want to take.
Keep in mind that the 1.6.17 LTS branch gets the exact same security fixes as 1.7.2, plus some extra Enigma plugin support and Kolab WOAT handling. If you're still on PHP 7 or an older database version, you'll want to verify compatibility before rolling this out.
Head here to the official 1.7.2 changelog and here to the 1.6.17 changelog for the full technical breakdown and upgrade instructions. The Roundcube team recommends running the upgrade in a staging environment first, then hitting production once you've verified your mail flow and address book imports behave as expected.
