Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
Published: 2026-05-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roundcube Webmail allows an attacker to circumvent the remote image blocking feature by embedding a specially crafted CSS var() expression in an e‑mail message. This flaw lets the attacker force the client to fetch external resources or reveal sensitive information, thereby potentially exposing content that should have been blockable or enabling an access‑control bypass in the status of the message. The vulnerability is a flow‑control issue (CWE‑669).

Affected Systems

All installations of Roundcube Webmail running version 1.6 in the 1.6.x series before 1.6.16, and version 1.7 in the 1.7.x series before 1.7.1, are affected.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity. EPSS is not available, and it is not listed in the CISA KEV catalog, so the likelihood of widespread exploitation at this time is uncertain. The probable attack vector is a remote sender delivering a crafted e‑mail that contains the malicious CSS. Successful exploitation would enable the attacker to cause the victim’s client to load external resources, potentially revealing confidential content or bypassing intended access restrictions.

Generated by OpenCVE AI on May 25, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roundcube Webmail to version 1.6.16 or later in the 1.6 series, or version 1.7.1 or later in the 1.7 series
  • Configure Roundcube to block or strip remote images from HTML emails, or enable any available setting that prevents external resource loading until the patch is applied
  • Monitor mail server logs and email content for suspicious CSS var() expressions and block any messages containing them

Generated by OpenCVE AI on May 25, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4604-1 roundcube security update
Debian DSA Debian DSA DSA-6301-1 roundcube security update
History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
First Time appeared Roundcube
Roundcube webmail
Weaknesses CWE-669
CPEs cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Vendors & Products Roundcube
Roundcube webmail
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Roundcube Webmail
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T13:05:56.818Z

Reserved: 2026-05-25T19:21:09.220Z

Link: CVE-2026-48846

cve-icon Vulnrichment

Updated: 2026-05-26T13:05:51.893Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T20:16:37.160

Modified: 2026-05-26T19:26:42.643

Link: CVE-2026-48846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T21:00:11Z

Weaknesses
  • CWE-669

    Incorrect Resource Transfer Between Spheres