CVE-2026-35542
Access-Control Bypass via Remote Image Blocking in Roundcube Webmail
Publication date: 2026-04-03
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.14 (exc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35542 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves a bypass of the remote image blocking feature through a specially crafted background attribute in the BODY element of an HTML email.
Attackers could exploit this flaw by embedding malicious image URIs within the background attribute of the <body> tag, circumventing protections that normally block remote images. This could allow the attacker to load remote images despite blocking mechanisms.
The vulnerability was fixed by enhancing the HTML sanitizer to strictly validate base64-encoded images in the background attribute, ensuring only valid base64 data is allowed and sanitizing any invalid or malicious URIs.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure or access-control bypass by allowing attackers to load remote images in emails despite remote image blocking protections.
By bypassing remote image blocking, attackers can track users by forcing their email client to load remote content, potentially revealing information such as when and where an email was opened.
This can compromise user privacy and security, enabling tracking or other malicious activities through email.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a crafted background attribute in the BODY element of HTML emails that bypasses remote image blocking in Roundcube Webmail. Detection involves inspecting incoming emails for suspicious or crafted background attributes in the BODY tag that include data URIs or URLs that attempt to load remote images.
Since the vulnerability is related to HTML email content, you can detect attempts by searching email logs or stored emails for BODY tags with background attributes containing suspicious data URIs or URLs.
Example commands to detect such patterns in stored email files or logs might include:
- Using grep to find emails with BODY background attributes containing 'data:' or suspicious URLs: grep -i -r '<body[^>]*background=["\']data:' /path/to/emails/
- Searching for background attributes with URLs pointing to external servers: grep -i -r '<body[^>]*background=["\']http' /path/to/emails/
- Using regex tools or scripts to parse and validate base64 data in background attributes to detect malformed or suspicious payloads.
Additionally, monitoring HTTP requests from clients for unusual image fetches triggered by emails with crafted background attributes could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the vulnerability has been fixed.
The fix involves enhanced sanitization of the BODY background attribute in HTML emails, strictly validating base64-encoded images and blocking malicious URIs that attempt to bypass remote image blocking.
If immediate upgrading is not possible, consider:
- Disabling remote image loading in Roundcube Webmail settings to reduce exposure.
- Implementing additional email content filtering or sanitization at the mail server or gateway level to detect and block emails with suspicious BODY background attributes.
- Monitoring and alerting on unusual email content patterns or HTTP requests triggered by email clients.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail allows attackers to bypass remote image blocking by exploiting a crafted background attribute in the BODY element of an email. This can lead to information disclosure or access-control bypass, potentially enabling tracking of users through remote images.
Such unauthorized tracking and information disclosure can impact compliance with privacy regulations like GDPR and HIPAA, which require protection of personal data and user privacy. By circumventing remote image blocking, attackers may collect user data without consent, violating these standards.
The fix improves sanitization of HTML email content to prevent this bypass, thereby helping to maintain compliance with privacy and data protection requirements by mitigating risks of unauthorized data exposure.