Volerion logoVolerion
Volerion logoVolerion

Roundcube Webmail Remote Image Blocking Bypass Vulnerability

Vulnerability

A vulnerability exists in Roundcube Webmail versions prior to 1.5.14 and 1.6.14, allowing the remote image blocking feature to be bypassed. This is achieved by exploiting a crafted background attribute in the BODY element of an email message. The bypassed image blocking can lead to information disclosure or access control issues.

Impact

Exploitation of this vulnerability can bypass the remote image blocking feature, potentially leading to unauthorized information disclosure or access control violations.

Reproduction

To reproduce this vulnerability, send an email containing a BODY element with a crafted background attribute that includes data URI images. When the email is received and the background image is processed, the remote image blocking will be bypassed, allowing the images to be loaded despite the blocking feature being active.

Remediation

Users can update to Roundcube Webmail versions 1.5.14, 1.6.14, or 1.7-rc6, all of which include the necessary fix. Instructions for updating are available on the Roundcube website.

Added: Apr 3, 2026, 5:24 AM
Updated: Apr 3, 2026, 5:24 AM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
1.5
exploitability
7.6
remediation
7.7
relevance
5.2
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.