Critical Pre-Auth SQL Injection in Roundcube Webmail Exposes Enterprise Email Systems
Researchers have disclosed a critical pre-authentication SQL injection vulnerability in Roundcube Webmail that allows unauthenticated attackers to manipulate backend databases, exposing sensitive email data and credentials.
Roundcube Webmail users are being urged to apply urgent updates after developers patched multiple security flaws, including a critical pre-authentication SQL injection vulnerability. The flaw, discovered by researcher “skull,” affects the virtuser_query plugin in Roundcube versions 1.6.x and 1.7.x, which are widely deployed across enterprise and hosting environments.
The vulnerability stems from improper input sanitization in a preg_replace function, allowing attackers to bypass backslash-escaping protections and inject arbitrary SQL queries before authentication. This pre-auth SQL injection is particularly dangerous because it requires no valid user access, enabling threat actors to extract mailbox contents, steal user credentials, and probe system configurations. In real-world attacks, adversaries could leverage this to escalate privileges or pivot deeper into internal infrastructure, making unpatched systems a prime target.
In addition to the SQL injection flaw, Roundcube addressed several other high-impact vulnerabilities in versions 1.6.16 and 1.7.1. These include stored cross-site scripting (XSS) and HTML/CSS injection issues that could allow attackers to execute malicious scripts through manipulated email content or draft messages. Another notable fix addresses a CSS-injection bypass using SVG elements, specifically via the <animate> tag, which manipulates style attributes to evade sanitization filters and execute unauthorized code in a victim’s browser session.
Server-side request forgery (SSRF) protections were also strengthened after researchers identified bypass techniques using specially crafted local URLs that granted access to restricted internal resources. Additionally, flaws in remote image-blocking mechanisms were patched, preventing attackers from exploiting CSS variables to load external content and potentially track users. A particularly severe issue involved arbitrary file deletion through session poisoning in Redis or Memcache configurations, which could allow attackers to manipulate session data and delete critical files on the server.
Roundcube maintainers have released patched versions 1.6.16 and 1.7.1 and strongly recommend immediate updates for all production environments. Given the combination of pre-auth SQL injection and multiple bypass techniques, unpatched systems present a significant attack surface. Organizations using Roundcube in shared hosting, enterprise email systems, or cloud deployments should prioritize patching and review logs for suspicious activity.
Webmail platforms remain a prime target for attackers due to their role as gateways to sensitive communications and credentials. This incident highlights the importance of timely patch management and secure configuration practices to prevent data breaches and service compromise. Security experts recommend monitoring database queries, unusual HTTP requests, and unauthorized file operations to detect potential exploitation attempts.
With the disclosure of this critical vulnerability, the cybersecurity community is once again reminded that even mature, widely used open-source applications can harbor dangerous flaws when input validation is insufficient. The Roundcube team's rapid response in releasing patches sets a positive example, but the onus remains on administrators to apply them swiftly before malicious actors begin scanning for vulnerable instances.