CVE-2026-35543
SVG-Based Access Control Bypass in Roundcube Webmail Before
Publication date: 2026-04-03
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roundcube | webmail | to 1.5.14 (exc) |
| roundcube | webmail | From 1.6.0 (inc) to 1.6.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Roundcube Webmail allows bypassing remote image blocking via SVG animation elements, which can lead to information disclosure or access-control bypass.
Such information disclosure or unauthorized access could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leakage.
Can you explain this vulnerability to me?
CVE-2026-35543 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves a bypass of the remote image blocking feature by exploiting SVG animation elements embedded in email messages.
Specifically, certain SVG tags such as <animate>, <animateColor>, <set>, and <animateTransform> with attributes like attributeName="href", or attributeName="mask" or "cursor" combined with values containing external URLs (e.g., url(...)) can be used to circumvent the intended blocking of remote images.
This bypass occurs because these SVG animation elements were not properly detected and blocked by the HTML sanitizer, allowing external resources to be loaded despite the remote image blocking feature.
The vulnerability was fixed by enhancing the sanitization logic to detect and block these insecure SVG animation tags, using improved attribute inspection with regular expressions and inserting comments in place of blocked elements.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure or access-control bypass by allowing remote images or external resources to be loaded in email messages despite remote image blocking settings.
Attackers can exploit this to track users by loading remote content without their consent, potentially revealing information such as IP addresses, email opening times, or other metadata.
It may also allow bypassing security controls intended to prevent loading of external content, increasing the risk of privacy violations or further attacks through malicious content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing remote image blocking via SVG animation elements with specific attributes in Roundcube Webmail. Detection involves inspecting email messages or HTML content for SVG tags such as <animate>, <animateColor>, <set>, and <animateTransform> that have attributes like attributeName="href", or attributeName="mask" or "cursor" with values containing external URLs (e.g., url(...)).
To detect exploitation attempts on your system or network, you can search for suspicious SVG animation tags in email content or logs. For example, you might use commands to scan stored emails or webmail logs for these patterns.
- Use grep or similar tools to search for SVG animation tags with suspicious attributes in email files or logs, e.g.: grep -i -E '<animate|<animateColor|<set|<animateTransform' /path/to/emails/*
- Search for attributeName values that could indicate bypass attempts, e.g.: grep -i -E 'attributeName="(href|mask|cursor)"' /path/to/emails/*
- Look for URLs inside values attributes that might load remote resources, e.g.: grep -i -E 'values=".*url\(' /path/to/emails/*
These commands can help identify potentially malicious SVG content attempting to bypass remote image blocking.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the issue has been fixed.
The fix involves enhanced sanitization of SVG animation elements in the HTML sanitizer (rcube_washtml.php), which blocks insecure SVG animate tags that could reference external resources.
If immediate upgrade is not possible, consider applying the patch from the official Roundcube repository that introduces detection and blocking of insecure SVG animation tags with attributes like attributeName="href", "mask", or "cursor" referencing external URLs.
Additionally, review and tighten your email filtering and sanitization policies to block or sanitize SVG content with animation attributes that could load remote resources.