CVE-2026-35543
Received Received - Intake
SVG-Based Access Control Bypass in Roundcube Webmail Before

Publication date: 2026-04-03

Last updated on: 2026-04-07

Assigner: MITRE

Description
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content (with animate attributes) in an e-mail message. This may lead to information disclosure or access-control bypass.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35543
EUVD
EUVD-2026-18589
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roundcube webmail to 1.5.14 (exc)
roundcube webmail From 1.6.0 (inc) to 1.6.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Roundcube Webmail allows bypassing remote image blocking via SVG animation elements, which can lead to information disclosure or access-control bypass.

Such information disclosure or unauthorized access could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leakage.

Executive Summary

CVE-2026-35543 is a security vulnerability in Roundcube Webmail versions before 1.5.14 and 1.6.14. It involves a bypass of the remote image blocking feature by exploiting SVG animation elements embedded in email messages.

Specifically, certain SVG tags such as <animate>, <animateColor>, <set>, and <animateTransform> with attributes like attributeName="href", or attributeName="mask" or "cursor" combined with values containing external URLs (e.g., url(...)) can be used to circumvent the intended blocking of remote images.

This bypass occurs because these SVG animation elements were not properly detected and blocked by the HTML sanitizer, allowing external resources to be loaded despite the remote image blocking feature.

The vulnerability was fixed by enhancing the sanitization logic to detect and block these insecure SVG animation tags, using improved attribute inspection with regular expressions and inserting comments in place of blocked elements.

Impact Analysis

This vulnerability can lead to information disclosure or access-control bypass by allowing remote images or external resources to be loaded in email messages despite remote image blocking settings.

Attackers can exploit this to track users by loading remote content without their consent, potentially revealing information such as IP addresses, email opening times, or other metadata.

It may also allow bypassing security controls intended to prevent loading of external content, increasing the risk of privacy violations or further attacks through malicious content.

Detection Guidance

This vulnerability involves bypassing remote image blocking via SVG animation elements with specific attributes in Roundcube Webmail. Detection involves inspecting email messages or HTML content for SVG tags such as <animate>, <animateColor>, <set>, and <animateTransform> that have attributes like attributeName="href", or attributeName="mask" or "cursor" with values containing external URLs (e.g., url(...)).

To detect exploitation attempts on your system or network, you can search for suspicious SVG animation tags in email content or logs. For example, you might use commands to scan stored emails or webmail logs for these patterns.

  • Use grep or similar tools to search for SVG animation tags with suspicious attributes in email files or logs, e.g.: grep -i -E '<animate|<animateColor|<set|<animateTransform' /path/to/emails/*
  • Search for attributeName values that could indicate bypass attempts, e.g.: grep -i -E 'attributeName="(href|mask|cursor)"' /path/to/emails/*
  • Look for URLs inside values attributes that might load remote resources, e.g.: grep -i -E 'values=".*url\(' /path/to/emails/*

These commands can help identify potentially malicious SVG content attempting to bypass remote image blocking.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Roundcube Webmail to version 1.5.14, 1.6.14, or later, where the issue has been fixed.

The fix involves enhanced sanitization of SVG animation elements in the HTML sanitizer (rcube_washtml.php), which blocks insecure SVG animate tags that could reference external resources.

If immediate upgrade is not possible, consider applying the patch from the official Roundcube repository that introduces detection and blocking of insecure SVG animation tags with attributes like attributeName="href", "mask", or "cursor" referencing external URLs.

Additionally, review and tighten your email filtering and sanitization policies to block or sanitize SVG content with animation attributes that could load remote resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart