Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the remote image blocking logic of Roundcube Webmail, allowing a crafted background attribute in a BODY element of an e‑mail to bypass the restriction. This flaw permits the rendering engine to retrieve externally hosted images, which can reveal user‑specific data or enable access‑control bypass. The weakness aligns with CWE‑669, which describes information leakage through functional parameters.

Affected Systems

Roundcube Webmail installations running any release older than 1.5.14 or 1.6.14 are affected. The fix was incorporated into the 1.5.14, 1.6.14, and 1.7‑rc5 release streams announced in March 2026. Users running these or later versions are not vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation, and the vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to deliver a malicious e‑mail containing the crafted BODY tag; the victim must open the message to trigger the bypass and receive the exposed data. This does not provide remote code execution or privilege escalation.

Generated by OpenCVE AI on April 7, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roundcube to at least version 1.5.14, 1.6.14, or any newer release.
  • If an upgrade is not possible, disable remote image loading in Roundcube’s settings to stop the background attribute from being processed.

Generated by OpenCVE AI on April 7, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6196-1 roundcube security update
Github GHSA Github GHSA GHSA-5hf6-crg4-fg59 Roundcube: Bypass of remote image blocking via crafted BODY background attribute
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Roundcube Webmail Remote Image Blocking Feature Bypass Allows Information Disclosure

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Roundcube Webmail Remote Image Blocking Feature Bypass Allows Information Disclosure
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:51:27.986Z

Reserved: 2026-04-03T03:54:17.981Z

Link: CVE-2026-35542

cve-icon Vulnrichment

Updated: 2026-04-03T12:51:23.658Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T05:16:22.460

Modified: 2026-04-07T20:41:01.040

Link: CVE-2026-35542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:54:21Z

Weaknesses