CVE-2026-35542
Received Received - Intake
Access-Control Bypass via Remote Image Blocking in Roundcube Webmail

Publication date: 2026-04-03

Last updated on: 2026-04-07

Assigner: MITRE

Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35542
EUVD
EUVD-2026-18587
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.14 (exc)
roundcube webmail From 1.6.0 (inc) to 1.6.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35542 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves a bypass of the remote image blocking feature through a specially crafted background attribute in the BODY element of an HTML email.

Attackers could exploit this flaw by embedding malicious image URIs within the background attribute of the <body> tag, circumventing protections that normally block remote images. This could allow the attacker to load remote images despite blocking mechanisms.

The vulnerability was fixed by enhancing the HTML sanitizer to strictly validate base64-encoded images in the background attribute, ensuring only valid base64 data is allowed and sanitizing any invalid or malicious URIs.

Compliance Impact

The vulnerability in Roundcube Webmail allows attackers to bypass remote image blocking by exploiting a crafted background attribute in the BODY element of an email. This can lead to information disclosure or access-control bypass, potentially enabling tracking of users through remote images.

Such unauthorized tracking and information disclosure can impact compliance with privacy regulations like GDPR and HIPAA, which require protection of personal data and user privacy. By circumventing remote image blocking, attackers may collect user data without consent, violating these standards.

The fix improves sanitization of HTML email content to prevent this bypass, thereby helping to maintain compliance with privacy and data protection requirements by mitigating risks of unauthorized data exposure.

Impact Analysis

This vulnerability can lead to information disclosure or access-control bypass by allowing attackers to load remote images in emails despite remote image blocking protections.

By bypassing remote image blocking, attackers can track users by forcing their email client to load remote content, potentially revealing information such as when and where an email was opened.

This can compromise user privacy and security, enabling tracking or other malicious activities through email.

Detection Guidance

This vulnerability involves a crafted background attribute in the BODY element of HTML emails that bypasses remote image blocking in Roundcube Webmail. Detection involves inspecting incoming emails for suspicious or crafted background attributes in the BODY tag that include data URIs or URLs that attempt to load remote images.

Since the vulnerability is related to HTML email content, you can detect attempts by searching email logs or stored emails for BODY tags with background attributes containing suspicious data URIs or URLs.

Example commands to detect such patterns in stored email files or logs might include:

  • Using grep to find emails with BODY background attributes containing 'data:' or suspicious URLs: grep -i -r '<body[^>]*background=["\']data:' /path/to/emails/
  • Searching for background attributes with URLs pointing to external servers: grep -i -r '<body[^>]*background=["\']http' /path/to/emails/
  • Using regex tools or scripts to parse and validate base64 data in background attributes to detect malformed or suspicious payloads.

Additionally, monitoring HTTP requests from clients for unusual image fetches triggered by emails with crafted background attributes could help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to update Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the vulnerability has been fixed.

The fix involves enhanced sanitization of the BODY background attribute in HTML emails, strictly validating base64-encoded images and blocking malicious URIs that attempt to bypass remote image blocking.

If immediate upgrading is not possible, consider:

  • Disabling remote image loading in Roundcube Webmail settings to reduce exposure.
  • Implementing additional email content filtering or sanitization at the mail server or gateway level to detect and block emails with suspicious BODY background attributes.
  • Monitoring and alerting on unusual email content patterns or HTTP requests triggered by email clients.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35542. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart