CVE-2026-35540
SSRF and Info Disclosure via CSS in Roundcube Webmail
Publication date: 2026-04-03
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Roundcube Webmail versions before 1.6.14 and involves insufficient sanitization of Cascading Style Sheets (CSS) in HTML email messages.
Specifically, attackers could exploit stylesheet <link> elements that reference local network hosts, allowing Server-Side Request Forgery (SSRF) or information disclosure.
This means malicious emails could include stylesheet links pointing to internal network resources, which Roundcube might fetch, potentially exposing sensitive internal information or enabling SSRF attacks.
How can this vulnerability impact me? :
The vulnerability can lead to Server-Side Request Forgery (SSRF), where an attacker tricks the Roundcube server into making unauthorized requests to internal network resources.
It can also cause information disclosure by allowing attackers to access sensitive data from internal hosts through malicious stylesheet links.
This could expose internal network details or confidential information that should not be accessible externally, potentially compromising the security of your network and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if Roundcube Webmail versions prior to 1.6.14 are processing stylesheet links that point to local network hosts, which could lead to SSRF or information disclosure.
Since the vulnerability is related to fetching external stylesheet URLs that resolve to local IP ranges, one approach is to monitor HTTP requests made by Roundcube to local network addresses.
Suggested commands include network monitoring or logging tools to detect outbound HTTP requests from the Roundcube server to local IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and IPv6 equivalents.
- Use tcpdump or Wireshark to capture HTTP traffic from the Roundcube server and filter for requests to local IP ranges.
- Example tcpdump command: tcpdump -i eth0 host 127.0.0.1 or net 10.0.0.0/8 or net 172.16.0.0/12 or net 192.168.0.0/16 and port 80
- Check Roundcube logs for any HTTP client activity fetching stylesheets from local network addresses.
- Review the Roundcube version installed to confirm if it is before 1.6.14, which is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Roundcube Webmail to version 1.6.14 or later, where the vulnerability has been fixed.
The fix includes rejecting stylesheet links that point to local network addresses, preventing SSRF and information disclosure.
- Upgrade Roundcube Webmail to version 1.6.14 or newer.
- Ensure the HTTP client configuration disables automatic redirects to reduce redirect-based SSRF risks.
- Verify that the Roundcube installation includes the patch that uses the `is_local_url()` function to block local network stylesheet URLs.
- If upgrading immediately is not possible, consider restricting outbound HTTP requests from the Roundcube server to local network IP ranges as a temporary measure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail allows attackers to exploit insufficient CSS sanitization to perform Server-Side Request Forgery (SSRF) or information disclosure by referencing local network hosts through stylesheet links.
Such information disclosure risks can potentially lead to unauthorized access to sensitive internal network information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data against unauthorized access or leaks.
By allowing attackers to access internal network resources or sensitive information, this vulnerability could increase the risk of data breaches or unauthorized data exposure, thereby affecting an organization's ability to comply with these standards.
The fix implemented prevents fetching stylesheets from local network addresses, mitigating SSRF and information disclosure risks, which helps maintain compliance by reducing the attack surface for data leaks.