Security Update for Roundcube

lvdd · March 2, 2026, 1:10pm

Hi,

there have been new versions for Roundcube webmail available since 4 weeks. These versions fix 2 CVE that were found in the versions we are running in Mail-in-a-box. There is a PR in Github available for 3 weeks: [security] Update roundcube to 1.6.13 by kiekerjan · Pull Request #2554 · mail-in-a-box/mailinabox · GitHub

Is somebody with commit permissions working on integrating this PR and release a new version of mail-in-a-box? If not, I will start investigating how I can disable Roundcube altogether.

regards
Lars

KiekerJan · March 2, 2026, 4:39pm

Josh will probably include it in the next update of Mailinabox, but when this will be, I don´t know.

Miab_user · March 10, 2026, 1:55pm

Disable Roundcube? No, change 2 strings manually, re-run setup.sh and have a fun with 1.6.13!

ucsendre · April 7, 2026, 10:46am

The strongly recommended security update for Roundcube (version 1.6.15) is available since a week now.
Could someone please advise me how to update Roundcube webmail manually on a working MiaB server I would be more than grateful indeed.
Thank you!

lvdd · April 7, 2026, 12:17pm

Hi,

since this project is mostly abandoned you will need to do it yourself. You can replace the roundcube entries in /your/installfolder/mailinabox/setup/webmail.sh like described here: roundcube-1.6.15 by jcm-shove-it · Pull Request #2565 · mail-in-a-box/mailinabox · GitHub

Then re-run the command to update your MIAB installation. For my system I follow this Mail-in-a-Box Maintenance Guide
This re-runs the setup procedure and should update Roundcube automatically to the new version.
This worked fine for me

Good luck

themew · April 7, 2026, 1:48pm

While you may need to do the update yourself (not too hard to edit the single file and run the update .sh) I certainly wouldn’t call this great open source project ‘mostly abandoned’ when it was just updated less than 90 days ago (v74: Version 74 (January 4, 2026).

lvdd · April 7, 2026, 2:32pm

Yes, I would also consider this project being great. I really do.

However, if you check the January update, you’ll see it was mostly centered around a security alert concerning Roundcube. So, there was a new version being assembled because Roundcube contained a few actively exploited flaws.
This thread is centered around actively exploited security issues in Roundcube but this time we have fallen behind 3 versions of Roundcube with each having its own set of attack surfaces. In the past this was a good reason to assemble a new version of MIAB which doesn’t seem to be the case anymore. PR’s are available in GH mostly a few days after the announcements.

In a recent other thread Josh said that he very likely won’t have the resources to do anything outside of an upgrade to Ubuntu 26.4 (which is going to be huge - Dovecot config changes in itself is already big) and reminded the community to fork this project if there is any other changes they wanted to have. Which tells me he is looking for a way to slowly phase this project out. Until a fork (there have been a few in the past already) gains traction on its own to take over from here, I would say there is going to be a lot more manual work required in the near future…