Roundcube Webmail versions 1.6.x between 1.6.14 and 1.6.16 and all 1.7.x releases before 1.7.1 contain a bug where the remote image blocking setting does not apply to URLs that point to local or private destinations. Because of this oversight, a crafted text/html email can cause the client to load a local resource that a normal user would not be able to access. The bug is documented as a CWE-669 vulnerability. When triggered, it can lead to the disclosure of sensitive information contained in local files and, in certain configurations, could allow an attacker to execute privileged operations or elevate privileges within the webmail system.

The affected product is Roundcube Webmail. Vulnerable versions include any 1.6.x build from 1.6.14 up to and including 1.6.16, as well as any 1.7.x build earlier than 1.7.1. The fix is incorporated in release 1.6.16 and in release 1.7.1, which both restore proper handling of remote image blocking for local destinations.

The CVSS v3.1 score for this issue is 6.5, indicating a medium severity, and it applies to Roundcube Webmail. The EPSS score is unavailable, so the exploitation probability is currently unknown, but the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, involving an attacker sending a crafted HTML email that references a local or private URL. Because the flaw operates when a user opens the email, no special authentication is required beyond the ability to deliver a message to the target's webmail account, making the risk moderate but noticeable. Organizations should assess whether users can be tricked into opening such emails and apply available mitigations promptly.