Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An attacker can craft an e‑mail with a BODY element that uses a background attribute pointing to a remote image. The Roundcube Webmail remote image blocking feature can be bypassed, allowing the client to fetch the external resource. This behavior may result in the disclosure of sensitive data or enable an access‑control bypass. The underlying weakness is an improper enforcement of access controls, classified as CWE‑669.

Affected Systems

Roundcube Webmail installations running a version older than 1.5.14 or 1.6.14 are affected. Any environment that has not applied these updates remains vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3 and no EPSS score or KEV listing is available. By sending a specially crafted email containing a BODY element with a background attribute, an attacker can cause the webmail interface to retrieve a remote image. This can expose information or help bypass intended restrictions. The risk is moderate in contexts that accept unsolicited or malicious email content and in which the content is rendered before being displayed to the user.

Generated by OpenCVE AI on April 3, 2026 at 07:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube Webmail to at least version 1.5.14 or 1.6.14, or any later release that contains the fix.
  • If an immediate update cannot be performed, configure the webmail system to block or disable remote image fetching, thereby restoring the intended protection.
  • Sanitize or strip background attributes in incoming email BODY tags to prevent the bypass.
  • Monitor mail logs for unusual remote image retrieval attempts and review for suspicious activity.

Generated by OpenCVE AI on April 3, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hf6-crg4-fg59 Roundcube: Bypass of remote image blocking via crafted BODY background attribute
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Roundcube Webmail Remote Image Blocking Feature Bypass Allows Information Disclosure
First Time appeared Roundcube
Roundcube webmail
Vendors & Products Roundcube
Roundcube webmail

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
Weaknesses CWE-669
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T12:51:27.986Z

Reserved: 2026-04-03T03:54:17.981Z

Link: CVE-2026-35542

cve-icon Vulnrichment

Updated: 2026-04-03T12:51:23.658Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-03T05:16:22.460

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:52Z

Weaknesses