In Roundcube 1.2 security tokens may contain [a-zA-Z0-9] characters. Regexp in Roundcube vhost config (and maybe .htaccess file) need to be updated. I'm not sure to which component this should be assigned. Jeroen, please take over.
https://github.com/roundcube/roundcubemail/commit/26086981a24e72f283da38dbdb992f27b4135a80