Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries
Cybersecurity NewsArchived May 28, 2026✓ Full text saved
Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws. Including a critical pre-authentication SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in. The issues affect Roundcube versions 1.6. x and 1.7. x, which are widely used across enterprise and hosting environments. The vulnerability, […] The post Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries appeared fi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries
By Abinaya
May 28, 2026
Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws.
Including a critical pre-authentication SQL injection vulnerability that could allow attackers to manipulate backend databases without logging in.
The issues affect Roundcube versions 1.6. x and 1.7. x, which are widely used across enterprise and hosting environments.
The vulnerability, discovered by researcher “skull,” affects the virtuser_query plugin. It stems from improper input sanitization in a preg_replace function, allowing attackers to bypass backslash-escaping protections.
This flaw enables threat actors to inject malicious SQL queries before authentication, potentially exposing sensitive email data, user credentials, and system configurations.
Security experts warn that pre-auth SQL injection flaws are particularly dangerous because they do not require valid user access.
In real-world attacks, adversaries could exploit this issue to extract mailbox contents, escalate privileges, or pivot deeper into internal infrastructure.
Roundcube Webmail Vulnerability
In addition to the SQL injection flaw, Roundcube addressed several other high-impact vulnerabilities in versions 1.6.16 and 1.7.1.
These include stored cross-site scripting (XSS) and HTML/CSS injection issues that could allow attackers to execute malicious scripts through manipulated email content or draft messages.
Another notable fix involves a CSS-injection bypass using SVG elements, specifically via the <animate> tag, which manipulates style attributes.
This could allow attackers to evade sanitization filters and execute unauthorized code in a victim’s browser session. Server-side request forgery (SSRF) protections were also strengthened.
Researchers identified bypass techniques using specially crafted local URLs that allowed access to restricted internal resources.
Additionally, flaws in remote image-blocking mechanisms were patched, allowing attackers to exploit CSS variables to load external content and potentially track users.
A particularly severe issue involved arbitrary file deletion through session poisoning in Redis or Memcache configurations.
This vulnerability could allow attackers to manipulate session data and delete critical files on the server.
Another fix removed unsafe code-evaluation functionality from the LDAP autovalues option, eliminating a potential code-injection vector that could lead to remote code execution in certain configurations.
Roundcube maintainers have released patched versions 1.6.16 and 1.7.1 and strongly recommend immediate updates for all production environments.
Given the combination of pre-auth SQL injection and multiple bypass techniques, unpatched systems present a significant attack surface.
Organizations using Roundcube in shared hosting, enterprise email systems, or cloud deployments should prioritize patching and review logs for suspicious activity.
Monitoring database queries, unusual HTTP requests, and unauthorized file operations can help detect potential exploitation attempts.
With webmail platforms remaining a prime target for attackers, this incident highlights the importance of timely patch management and secure configuration practices to prevent data breaches and service compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks
WhatsApp Chat Histories Stored Unencrypted on macOS and iOS
New 0-Click WhatsApp Account Takeover Attack Targeting iOS 16 Users
New BTMOB Malware Lets Attackers Remotely Control Android Devices
Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials
Latest News
Cyber Security News
Threat Actors Spoofing FIFA Websites to Steal Name, Home Address, and Phone Number
Cyber Security News
Top 10 Best Mobile Application Security Testing (MAST) Tools in 2026
Cyber Security News
Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026
Cyber Security News
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
Cyber Security News
Microsoft Warns Public Release of Zero-Day Details Before Vendor Coordination