A vulnerability in Roundcube Webmail One of the most widely used open-source webmail programs in the world, Roundcube, has fixed a privacy bypass vulnerability with important security updates This article explores vulnerability roundcube webmail. . Even when users had specifically set their settings to "Block remote images," the vulnerability described by NULL CATHEDRAL allowed attackers to load remote images and monitor email opens.

All 1.6.x versions before 1.6.13 and Roundcube Webmail versions before 1.5.13 are vulnerable. The problem was made public on February 8, 2026, and has since been fixed by the maintainers in versions 1.5.13 and 1.6.13. Roundcube's HTML sanitizer, rcube_washtml, is at the heart of the problem since it cleans incoming email content to stop privacy leaks and Cross-Site Scripting (XSS).

The sanitizer intercepts HTML attributes that are known to load external resources when the user sets allow_remote to false. The function is_image_attribute() specifically looks for attributes (like src or href) that could cause a network request in tags like ,

Standard links, such as , are handled differently, though. In order for users to click on authentic hyperlinks, they go through a function called wash_link() that allows HTTP and HTTPS URLs. The sanitizer's failure to identify the SVG element as an image container created the vulnerability. The href attribute is used by the Exploit Mechanism , an SVG filter primitive, to retrieve image data from an external source.

The sanitizer reads NULL CATHEDRAL report because rcube_washtml did not include feimage in its blocklist for is_image_attribute(), treating the href essentially as a regular clickable link. As a result, wash_link() received the malicious URL, allowing the external connection. By including an invisible 1x1 SVG in an email, an attacker could take advantage of this.

As soon as the email was rendered, a filter definition inside the SVG using would automatically send a GET request to a server under the control of the attacker. Users' privacy safeguards against tracking pixels are compromised by this workaround. Threat actors could: Verify that an email address is active by taking advantage of this vulnerability. Record the IP address of the recipient.

Fingerprint the victim's device and browser.

The regex logic in is_image_attribute() is updated by the fix, which was applied in commit 26d7677. When examining href attributes, the sanitizer now specifically acknowledges feimage in addition to image and use. This guarantees that the stringent image sanitization guidelines detect and prevent any attempt to load external resources using SVG filters.

To safeguard user privacy, administrators of self-hosted instances of Roundcube are advised to update to version 1.5.13 or 1.6.13 right away., LinkedIn, and X for daily cybersecurity updates. To have your stories featured, get in touch with us.