Description
Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
Published: 2025-03-10
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Security Deception
Action: Patch
AI Analysis

Impact

A vulnerability in Thunderbird allows an attacker to craft a MIME email that claims to contain an encrypted OpenPGP message but actually contains a signed message. The application incorrectly displays the message as being encrypted, potentially misleading the user into believing the content is protected by encryption when it is not. This misrepresentation can enable phishing or social engineering attacks by making unencrypted or weakly protected content appear trustworthy. The issue reflects weaknesses in authentication (CWE-290) and security misconfiguration (CWE-451). Based on the description, it is inferred that the deceptive labeling could be leveraged for phishing or social engineering attacks.

Affected Systems

Mozilla Thunderbird is the only affected product. All releases prior to Thunderbird 128.8 and 136 have the vulnerability; it was fixed in the 128.8 and 136 releases.

Risk and Exploitability

The CVSS score of 7 indicates a moderate severity. The EPSS score of less than 1% shows a very low but existent probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via a crafted email that the user opens in Thunderbird; no additional authentication or local privileges are required. The risk is primarily to the user’s trust in the email’s security status rather than to system compromise.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Thunderbird 136 or later, which contains the fix.
  • If you must use an older version, install the patch available in Thunderbird 128.8.
  • Train users to verify that an encrypted label in Thunderbird corresponds to actual encryption; if the label appears misleading, treat the message as potentially unsigned and handle with caution.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7706 Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
Title thunderbird: Crafted email message incorrectly shown as being encrypted Crafted email message incorrectly shown as being encrypted

Thu, 03 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Thu, 13 Mar 2025 02:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Crafted email message incorrectly shown as being encrypted
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 11 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
Description Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.
References

Subscriptions

Mozilla Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:27.799Z

Reserved: 2025-02-13T22:03:43.233Z

Link: CVE-2025-26696

cve-icon Vulnrichment

Updated: 2025-03-11T19:16:58.244Z

cve-icon NVD

Status : Modified

Published: 2025-03-10T19:15:40.670

Modified: 2026-04-13T15:16:54.973

Link: CVE-2025-26696

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-10T18:41:25Z

Links: CVE-2025-26696 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses