CVE-2026-48849: Roundcube Webmail Stored XSS Vulnerability

CVE-2026-48849 Overview

CVE-2026-48849 is a stored cross-site scripting (XSS) vulnerability in Roundcube Webmail affecting versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. The flaw stems from an unsanitized subject field in the draft restored value, allowing attackers to inject malicious HTML, CSS, or JavaScript payloads. When users access shared mailboxes containing crafted drafts, the injected content executes in their browser context. The vulnerability is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).

Critical Impact

Attackers with low-privilege access to shared mailboxes can inject persistent scripts that execute when other users restore affected drafts, enabling session theft and UI manipulation.

Affected Products

• Roundcube Webmail 1.6.x versions prior to 1.6.16
• Roundcube Webmail 1.7.x versions prior to 1.7.1
• Shared mailbox deployments using vulnerable Roundcube versions

Discovery Timeline

• 2026-05-24 - Roundcube releases security updates 1.6.16 and 1.7.1
• 2026-05-25 - CVE-2026-48849 published to NVD
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-48849

Vulnerability Analysis

The vulnerability resides in how Roundcube Webmail handles the subject field when restoring saved draft messages. The draft restoration logic returns the subject value without applying proper HTML encoding or sanitization. An attacker with write access to a shared mailbox can create a draft containing crafted HTML, CSS, or JavaScript inside the subject line. When a second user opens or interacts with that draft, the unsanitized content renders in their browser session.

Because the payload persists in the draft storage, this is a stored XSS issue rather than reflected. The shared mailbox deployment model amplifies the impact by giving attackers a reliable channel to reach other authenticated users. The scope change reflected in the CVSS vector indicates the injected content can affect resources beyond the vulnerable component, including the broader Roundcube session context.

Root Cause

The root cause is missing output encoding on the draft subject field during the restore operation. User-supplied input flows from draft storage into the rendered web interface without passing through Roundcube's HTML sanitization layer. The fix introduced in commits 189d30a4 and a21519187873ce962db029b6ff68e47bd7f3fd8a adds proper escaping to the subject handling path.

Attack Vector

Exploitation requires an authenticated attacker with permission to create or modify drafts in a shared mailbox. The attacker saves a draft with a malicious subject containing JavaScript, HTML, or CSS payloads. When a victim user with access to the same shared mailbox restores the draft, the payload executes in their browser. User interaction is required, and attack complexity is high due to the specific shared mailbox precondition.

No public proof-of-concept code is available. Refer to the Roundcube Security Updates advisory and the GitHub commit fix for technical specifics on the corrected sanitization logic.

Detection Methods for CVE-2026-48849

Indicators of Compromise

• Draft messages in shared mailboxes containing HTML tags, <script> elements, or inline event handlers within the subject field
• Unexpected JavaScript execution or DOM modifications when users access shared mailbox drafts
• Anomalous outbound requests from Roundcube user sessions to attacker-controlled domains
• Unusual session token activity for users who recently accessed shared mailbox drafts

Detection Strategies

• Inspect mail storage for draft messages whose subject fields contain HTML markup, CSS expressions, or scripting constructs
• Review Roundcube application logs for repeated draft restore actions tied to suspicious accounts
• Monitor Content Security Policy (CSP) violation reports generated by the Roundcube frontend
• Correlate authentication events across users sharing the same mailbox to identify lateral movement attempts

Monitoring Recommendations

• Enable verbose Roundcube logging for IMAP draft operations and shared folder access
• Forward webmail access logs to a centralized SIEM for behavioral analysis
• Alert on outbound HTTP requests originating from authenticated webmail sessions to uncategorized domains
• Track user-agent and IP anomalies for accounts with shared mailbox permissions

How to Mitigate CVE-2026-48849

Immediate Actions Required

• Upgrade Roundcube Webmail to version 1.6.16 or 1.7.1 without delay
• Audit all shared mailboxes for existing drafts containing HTML, scripting, or styling markup in subject fields
• Review and tighten shared mailbox permissions to limit draft creation to trusted accounts
• Invalidate active webmail sessions after patching to clear any compromised tokens

Patch Information

Roundcube published fixes on 2026-05-24. The corrections are available in Roundcube 1.6.16 and Roundcube 1.7.1. The relevant code changes are documented in commit 189d30a4 and commit a21519187. Administrators should apply the official upstream packages rather than backport patches manually.

Workarounds

• Restrict shared mailbox write access to a minimal set of trusted users until the patch is applied
• Deploy a strict Content Security Policy that blocks inline scripts and unauthorized event handlers in the Roundcube interface
• Use a web application firewall rule to inspect and block HTML or script tags in IMAP SUBJECT headers passing through the webmail tier
• Temporarily disable shared mailbox functionality if patching cannot be performed promptly

# Example: verify installed Roundcube version and upgrade
grep RCMAIL_VERSION /var/www/roundcube/program/include/iniset.php

# Download and deploy the patched release
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.16/roundcubemail-1.6.16-complete.tar.gz
tar -xzf roundcubemail-1.6.16-complete.tar.gz

# Apply a restrictive CSP header in the webserver configuration (nginx example)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none';" always;