Description
When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
Published: 2025-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via email address enumeration
Action: Patch
AI Analysis

Impact

A bug in Thunderbird’s OpenPGP key retrieval over the Web Key Directory protocol caused the client to use incorrect padding when forming the key request. The padding difference exposed the length of the email address used in the lookup, allowing an attacker who could observe traffic to a WKD server to learn how long a victim’s email address is.

Affected Systems

This flaw was present in all Thunderbird releases before 128.8 and 136, inclusive. Mozilla released a fix in Thunderbird 136 and the legacy 128.8 branch. Systems running earlier versions of Thunderbird are affected.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium range; the EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. The most likely attack path involves an adversary monitoring network traffic to a WKD endpoint and collecting length information, which can aid in user enumeration or targeted phishing. No elevated privileges or authentication are required.

Generated by OpenCVE AI on April 20, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to version 136 or the 128.8 branch, which contain the padding fix.
  • If an immediate upgrade is not possible, consider disabling WKD key retrieval in Thunderbird’s preferences to stop outbound key lookup requests.
  • Block outbound connections to known WKD URLs using a firewall or proxy to prevent the length disclosure until the client can be updated.

Generated by OpenCVE AI on April 20, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7705 When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
Title thunderbird: Downloading of OpenPGP keys from WKD used incorrect padding Downloading of OpenPGP keys from WKD used incorrect padding

Thu, 03 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Thu, 13 Mar 2025 02:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Downloading of OpenPGP keys from WKD used incorrect padding
Weaknesses CWE-203
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 12 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
Description When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.
References

Subscriptions

Mozilla Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:29.612Z

Reserved: 2025-02-13T22:03:43.233Z

Link: CVE-2025-26695

cve-icon Vulnrichment

Updated: 2025-03-10T18:52:19.673Z

cve-icon NVD

Status : Modified

Published: 2025-03-10T19:15:40.567

Modified: 2026-04-13T15:16:54.780

Link: CVE-2025-26695

cve-icon Redhat

Severity : Low

Publid Date: 2025-03-10T18:41:25Z

Links: CVE-2025-26695 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses