Hello,

I'm running RC since probably a decade and really happy with the UI. But I wonder what I can do to increase security.
After reading: https://hunt.io/blog/operation-roundish-apt28-roundcube-exploitation it seems that even using the 2-factor authentication plugin, the webapp is vulnerable to exploits.

Is there any guidance on how to increase security to mitigate these risks?

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail, as well as a release candidate for coming 1.7. They contain fixes for recently reported set of security vulnerabilities.

Security fixes

• Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler, reported by y0us.
• Fix bug where a password could get changed without providing the old password, reported by flydragon777.
• Fix IMAP Injection + CSRF bypass in mail search, reported by Martila Security Research Team.
• Fix remote image blocking bypass via various SVG animate attributes, reported by nullcathedral.
• Fix remote image blocking bypass via a crafted body background attribute, reported by nullcathedral.
• Fix fixed position mitigation bypass via use of !important, reported by nullcathedral.
• Fix XSS issue in a HTML attachment preview, reported by aikido_security.
• Fix SSRF + Information Disclosure via stylesheet links to a local network hosts, reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/.

See the full changelogs in the release notes on the Github download pages for the updated versions

• 1.7-rc5
• 1.6.14
• 1.5.14

We strongly recommend to update your productive installations of Roundcube with this new versions.

Source: https://roundcube.net/news/2026/03/18/security-updates-1.7-rc5-1.6.14-1.5.16
Get it Now: https://roundcube.net/download

So i asked on microsoft learn forum¹ about the issue, and from my understanding, the outlook.office.com scope is only for Exchange Online, which is paid and common in organizations. But he also mentioned that Exchange Web (API providing the outlook.office.com scope) is also in the process of being deprecated and moved to Graph API. So is the pull request you mentioned makes Outlook OAuth work with Microsoft Graph?
¹ https://learn.microsoft.com/en-us/answers/questions/5825132/how-to-add-permission-from-office-api-scopes

As far as switching to plain text, I think that anything you do to refresh the page after the initial load will then appropriately show the headers. If I go to my settings and turn off HTML views of messages I see the same behavior with new messages not showing headers on initial load.

I appreciate the time you are spending on this.

I commented out ALL plugins in the confing/config.inc.php file and just to be thorough (not sure if needed) I deleted all files in the temp/ directory.

Unfortunately there is no change. I'll leave all plugins disabled in case you want to have a look. It seems 2 plugins remain no matter what (jqueryui and filesystem_attachments).

I tested with the account you send and was able to briefly see the problem, after switching the email to plan text all the headers showed up as normal and the problem happen again. I noticed that you have a larger number of plugins enabled. Can you try diabling all the plugin and see if the issues continues? My leading guess is that either a outdated plugin or conflict between plugins is causing the issue.

Certainly! I'll pm you. Thank you

does this help? https://github.com/roundcube/roundcubemail/pull/9939

Hello. I want to use roundcube to access outlook. I created an oauth application in entra ID, assigned necessary permissions, copy-paste the example from defaults.inc.php file, and replaced the client ID and secret placeholders with my own. I was bounced back to login page, with an error (only shown in the URL,) `invalid_scope`. I checked the permission details for IMAP.AccessAsUser.All and SMTP.Send, turns out it's also within `graph.microsoft.com`. So i think the `https://outlook.office365.com/` part in oauth scope is not needed at all. I tried stripping that part, and finally got an oauth token, but i was bounced back to login page with no error reported even with debug_level set to 1. And i'm using roundcubemail-1.6.13-complete.tar.gz archive to deploy roundcube.

Hi all !

I just released version 1.7 of my skin.

Many CSS & JS fix.

The top bar now fits in "1 line" :


Bulk delete and archive are working !


Direct link : https://github.com/seb1k/Elastic2022


@stanislawl, could you please send me a screenshot of the issue? I couldn't find where the problem is.