Roundcube Webmail Pre-Auth SQL Injection in virtuser_query Plugin (CVE-2026-48842) — Patched in 1.6.16 / 1.7.1 Alongside 7 Other Vulnerabilities — Threadlinqs Intelligence
Threat ID: TL-2026-0616 · Severity: HIGH · CVSS: 8.1 · Status: MONITORING · Category: VULNERABILITY
Roundcube Webmail 1.6.16 and 1.7.1 patch a pre-authentication SQL injection (CVE-2026-48842, CVSS 8.1) in the virtuser_query plugin, discovered by researcher 'skull'. The flaw allows unauthenticated
Roundcube Webmail is an open-source IMAP webmail client widely deployed across shared-hosting providers, enterprise mail farms, telecom operators, and government webmail portals; cPanel, Plesk, and ISPConfig all ship Roundcube by default, placing the codebase on hundreds of thousands of internet-exposed hosts. On 2026-05-24 the Roundcube project shipped releases 1.6.16 (LTS branch) and 1.7.1, addressing eight CVEs disclosed over the prior weeks. NVD published CVE assignments on 2026-05-25 and Cyber Security News issued a public writeup on 2026-05-28.
The headline vulnerability, CVE-2026-48842 (CVSS 8.1 / High, CWE-89), is a pre-authentication SQL injection in the optional virtuser_query plugin, which is used by Roundcube deployments that map between physical mail-store usernames and external SMTP/IMAP addresses. The plugin exposes four lookup paths — user2email, email2user, user2host, and alias2user — all of which interpolate user-controlled values into a configurable SQL query template such as `SELECT email FROM virtuser WHERE user='%u'`. The pre-patch code wrapped the lookup parameter with the database driver escape function, then substituted it into the template via `preg_replace('/%u/', $dbh->escape($p['user']), $this->config['email'])`. This is the bug: PHP's preg_replace treats the replacement string as a pattern that can contain backreferences (`$0`, `\0`, `\1`...) and literal-backslash escapes (`\\` → `\`). When `$dbh->escape()` doubled a backslash supplied by the attacker (turning `\` into `\\` to neutralize SQL string escaping), preg_replace collapsed those two backslashes back into one before placing them in the final SQL statement. The attacker therefore regains the ability to inject a literal backslash that escapes the trailing single-quote of the SQL string literal, breaking out of the quoted context and appending arbitrary SQL.
The vulnerable surfaces are reached by anonymous HTTP requests because the username and email parameters in virtuser_query are consulted before authentication, during pre-login address normalization. Attackers can therefore perform UNION-based extraction, error-based extraction, time-based blind extraction, or stacked queries (driver-dependent) to read mailbox metadata, Roundcube user records, IMAP credentials cached in `users` and `identities` tables, and any data co-located in the Roundcube database. On installations where the Roundcube database user has write access (the default), the attacker can also write or modify rows — enabling password resets, identity hijack, and follow-on authentication bypass.
The upstream fix replaces each of the four `preg_replace('/%u/', ...)` and `preg_replace('/%m/', ...)` calls with `str_replace('%u', ...)` / `str_replace('%m', ...)` in plugins/virtuser_query/virtuser_query.php; str_replace treats both haystack and replacement as literal strings with no backreference interpretation, so the database escape survives intact. Commit 3406183a9976e36f992d3468f37d0e2346526ee9 lands the patch on the 1.6 LTS branch, and 87124cc7136a48b5fa9d2b40dfead6e9dcaeaf4b ports it forward to 1.7.
The same release closes seven additional issues that together expand the post-exploitation surface even where virtuser_query is not installed: CVE-2026-48843 (CVSS 7.2) is a CSS-injection bypass in the HTML sanitizer via the SVG `<animate attributeName="style">` element, allowing dynamic style mutation that escapes Roundcube's `cssparser`/style allowlist; CVE-2026-48844 (CVSS 7.5) removes unsafe code evaluation in the LDAP `autovalues` option that could permit code injection when administrators expose ldap_public_search; CVE-2026-48845 (CVSS 6.5) closes an SSRF/local-resource fetch bypass via specific local-address URLs reported by Orange Cyberdefense; CVE-2026-48846 (CVSS 6.5) fixes a remote-image-blocking bypass via CSS `var()` indirection that re-enables tracking pixels; CVE-2026-48847 (CVSS 3.7) is a pre-auth arbitrary file deletion through Redis/Memcache session poisoning;
Weaknesses (CWE)
CWE-89, CWE-79, CWE-94, CWE-918, CWE-73, CWE-116
Target sectors: hosting-providers, telecom, government, education, healthcare, financial, managed-service-providers, small-and-medium-business
Target regions: Global, North America, Europe, Asia-Pacific, Latin America, Middle East, Africa
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 20 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, HIGH, threat intelligence, cybersecurity, CVE-2026-48842, CVE-2026-48843, CVE-2026-48844, CVE-2026-48845, CVE-2026-48846, CVE-2026-48847, CVE-2026-48848, CVE-2026-48849, T1595, T1592, T1587, T1190, T1078, T1059, T1505, T1098, T1070, T1027