Volerion logoVolerion
Volerion logoVolerion

Roundcube Webmail Local URL Fetch Bypass Vulnerability Allowing Information Disclosure or Privilege Escalation

Vulnerability

A vulnerability exists in Roundcube Webmail versions 1.6.x (1.6.14 to 1.6.16) and 1.7.x (prior to 1.7.1) that allows local or private URLs to bypass remote image blocking. This could lead to unauthorized information disclosure or privilege escalation through a text/html email message.

Impact

Exploitation of this vulnerability could result in information disclosure or privilege escalation.

Reproduction

The vulnerability can be reproduced by sending a text/html email that includes an image link pointing to a local address, such as 127.0.0.1. When the email is received, Roundcube will fetch the image from the local URL, despite remote image fetching being disabled. This behavior can also be tested by linking to a private URL that should be blocked.

Remediation

Users can update to Roundcube Webmail versions 1.6.16 or 1.7.1, both of which include the necessary fix. Instructions for downloading these versions are available on the Roundcube website or through the Roundcube GitHub repository.

Added: May 26, 2026, 6:42 PM
Updated: May 26, 2026, 6:42 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
0.6
exploitability
7.0
remediation
7.7
relevance
9.4
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.