Roundcube, one of the world’s most popular open-source webmail solutions, has released critical security updates to address a privacy bypass vulnerability.
The flaw detailed by NULL CATHEDRAL allowed attackers to load remote images and track email opens, even when users had explicitly configured their settings to “Block remote images.”
The vulnerability affects Roundcube Webmail versions prior to 1.5.13 and all 1.6.x versions prior to 1.6.13. The maintainers have released versions 1.5.13 and 1.6.13 to patch the issue, which was publicly disclosed on February 8, 2026.
The core of the issue lies in Roundcube’s HTML sanitizer, rcube_washtml, which is responsible for cleaning incoming email content to prevent Cross-Site Scripting (XSS) and privacy leaks.
When a user sets allow_remote to false, the sanitizer intercepts HTML attributes known to load external resources. Specifically, the function is_image_attribute() checks tags like , and for attributes that might trigger a network request (such as src or href). If matched, the URL is sanitized to ensure it is not external.
However, standard links (like ) are processed differently. They pass through a function called wash_link(), which permits HTTP and HTTPS URLs so that users can click on legitimate hyperlinks.
The vulnerability arose because the sanitizer failed to classify the SVG element
The Exploit Mechanism
href attribute. Because rcube_washtml did not include feimage in its blocklist for is_image_attribute(), the sanitizer treated the href essentially as a standard clickable link, reads NULL CATHEDRAL report.
Consequently, the malicious URL was routed to wash_link(), which allowed the external connection.
An attacker could exploit this by embedding an invisible 1×1 SVG in an email. Inside the SVG, a filter definition using
This bypass defeats the privacy protections users rely on to prevent tracking pixels. By exploiting this flaw, threat actors could:
- Confirm an email address is active.
- Log the recipient’s IP address.
- Fingerprint the victim’s browser and device.
The fix, implemented in commit 26d7677, updates the regex logic within is_image_attribute(). The sanitizer now explicitly recognizes feimage alongside image and use when inspecting href attributes. This ensures that any attempt to load external resources via SVG filters is caught and blocked by the strict image sanitization rules.
Administrators running self-hosted instances of Roundcube are urged to upgrade to version 1.5.13 or 1.6.13 immediately to protect user privacy.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
