Roundcube Webmail — CSRF Token Invalid Error (401) When Rapidly Switching Emails
Hello,
We are experiencing a persistent issue with Roundcube Webmail on our cPanel server.
When a user rapidly clicks through 4–5 emails in the inbox (using preview pane or full view), the interface suddenly returns:
HTTP error 401 – Invalid Security Token
Requested page: 403.shtml
Affected URL: /cpanelwebmail/3rdparty/roundcube/?_task=mail&_uid=XXXX&_action=show
This is **not related to copied URLs or session expiration**. It happens live, within an active authenticated session.
Steps to reproduce:
1. Login to Webmail via https://webmail.domain.tld
2. Open Roundcube.
3. Rapidly click 4–6 messages in the inbox (without refreshing).
4. After a few clicks, the interface throws a 401/403 error.
What we have already tried:
- Disabled `preview_pane` in Roundcube config.
- Disabled `check_referrer`, `csrf_referrer_check`, and extended token lifetime.
- Disabled ModSecurity for `/3rdparty/roundcube/` and `/cpsess.*/3rdparty/roundcube/`.
- Even patched app.js to skip reload on 403.
- None of these solved the issue — `cpsrvd` still returns 401.
We understand that cpsess tokens are designed for CSRF protection. However, this behavior appears to be broken when using internal AJAX navigation in Roundcube.
Please confirm:
1. Is there a supported way to suppress this invalid token behavior in 3rdparty Roundcube?
2. Can this be considered a bug in cpsrvd token routing?
3. Is there a cPanel-supported Roundcube deployment path **outside cpsrvd**, or is that not recommended?
Thank you.
-
Hi Khachatryan,
What version are you using of WHM, cPanel and of Roundcube?I am not able to replicate it on our end with CloudLinux v8.10.0 STANDARD kvm cPanel Version 128.0.9 Roundcube Webmail 1.6.11
Tested while having Modsec, check_referrer and preview pane enabled. Console stays empty to while rapidly browsing. We did about 100 switches in window of 10 seconds tested on 3 seperate servers and per server 5 different domains. That of course does not mean there can't be a bug but just sharing our own experience with the reported issue.
Sidenote
If you are on a lower version and able to upgrade Roundcube I would highly recommend to try that first. There is a rather nasty CVE (2025-49113) currently with Roundcube on lower versions than 1.5.10 LTS or 1.6.x before 1.6.11
An PoC has been released two days ago. https://www.youtube.com/watch?v=TBkTbMJWHJY
We got a patch for CVE-2025-49113 three days ago on cPanel
https://docs.cpanel.net/changelogs/128-change-log/128.0.9
2025-06-02
- Fixed case CPANEL-47587: Update Roundcube to 1.6.11 to fix CVE-2025-49113.
0 -
I also can't replicate this on my end by cycling through multiple emails in the interface. If you haven't performed the update that ITHKBO mentioned please do that and let us know if you're still seeing the issue. If so, it may be best to create a ticket so this can be investigated on the server experiencing the problem.
0 -
We're running the exact same environment you tested with:
-
AlmaLinux 8.10
-
cPanel 128.0.9
-
Roundcube 1.6.11
The issue is reproducible 100% of the time by fast-clicking 5–6 emails in sequence within Roundcube. It leads to
HTTP 401 - Invalid Security Tokenwith no user interaction outside the Webmail interface.We've patched all known mitigation options (modsec, referrer check, token lifetime, JS override), and it still happens.
1 -
-
Can you create a ticket so this can be investigated directly?
0 -
hi
irun into this same issue before, and it's definitely frustrating—especially when users are quickly browsing emails and suddenly get kicked with a 401 or 403 error.
From what I understand, this seems to be more on the cpsrvd token management side rather than Roundcube itself. The fact that it's reproducible within an active session and not tied to session expiration suggests that the token refresh or validation logic isn't handling rapid AJAX requests well, especially within cPanel's 3rdparty route structure.
To your questions:
- Currently, I haven't found an officially supported method to entirely suppress the invalid token behavior within the embedded Roundcube interface inside cPanel. The config tweaks you listed are essentially what I've tried as well.
- I'd lean toward calling it a bug or design oversight, especially since the behavior only appears during rapid AJAX navigation and not during typical user activity.
- Deploying Roundcube outside of cpsrvd, such as on a standalone domain or subdomain, definitely provides more control and avoids cpsrvd's token routing issues. But yeah, that's not technically "supported" in the cPanel ecosystem, though I've seen people go that route to avoid these token problems entirely.
If you're managing several users and need more control and flexibility, spinning up your own Roundcube instance outside cPanel might be the cleanest long-term solution. Still hope cPanel addresses this adequately in a future update.
1 -
Hi,
We seem to be suffering from this problem as well - it's having a fairly devastating effect on our work. Attempting to work-around it by using Chrome or Firefox in incognito mode haven't been successful and this problem appears when using both Chrome and Firefox on Windows and Linux systems so we can rule out any browser specific or system specific issues.
We get
HTTP error 401
Invalid Security Token
The requested URL does not contain your session’s correct security token.
Request information
Requested page: 403.shtml
We're using the following version:
Roundcube Webmail 1.6.11
hosted on Linux by eukhost.com
We're finding that this happens during normal use and doesn't seem to be associated with rapid activity.
Plugins are as follows - so as people have pointed out above this may be a cPanel issue:
Installed plugins
Plugin Version License Source
archive 3.5 GPL-3.0+
calendar 3.5.11 AGPL-3.0 Download
carddav v5.1.0 GPL-2.0 Download
cpanelchecks 11.120 cPanel License (Proprietary)
cpanelicsimport 11.108 cPanel License (Proprietary)
cpanellogin 11.58 cPanel License (Proprietary)
cpanellogout 11.58 cPanel License (Proprietary)
cpanelvcfimport 11.108 cPanel License (Proprietary)
filesystem_attachments 1.0 GPL-3.0+
jqueryui 1.13.2 GPL-3.0+
libcalendaring 3.5.11 AGPL-3.0 Download
libkolab 3.5.11 AGPL-3.0 Download
markasjunk 2.0 GPL-3.0+
mixpanel_analytics 11.126 cPanel License (Proprietary)
return_to_webmail 11.106 cPanel License (Proprietary)
Will0 -
Will Robertson - were you able to make a ticket on this?
0 -
Hi cPRex
I raised a support ticket with eUKHost who looked for my IP address in the logs and replied:
"Hello William,Thank you for your reply.
As I can check the provided IP was blocked on the server.
I have unblocked it now. Please give it a check and let us know if you still get any issues.
Feel free to contact us if you need any further assistance.
Thank you
Regards,
Brandon S.
[1st Line Support Engineer (Linux)]"
That maybe seemed to fix it for a short while btu the problem quickly came back.
Sometimes I also get an "The login is invalid." error message (using the same username and password as successful login attempts).
We have this problem on a powerful Linux machine with plenty of RAM and hard drive space and on a much less powerful Windows laptop that runs out of both RAM and hard drive space - could it be that a token is being corrupted by lack of resources on the smaller Windows machine and that this is also affecting the login with the same username and password on the much more powerful Linux machine? I don't think this would be possible but it did go through my mind. (The smaller Windows machine was bought for next to nothing - the BIOS is locked down so that Linux can't be installed and the RAM can't be extended).
Will0 -
No, there shouldn't be any interaction between the two machines.
0
Please sign in to leave a comment.
Comments
9 comments