CVE-2026-35540 Overview
An insufficient CSS sanitization vulnerability has been discovered in Roundcube Webmail versions 1.6.0 through 1.6.13. The vulnerability exists in the handling of HTML email messages containing Cascading Style Sheets (CSS) with external stylesheet links. When processing these emails, Roundcube fails to properly validate and sanitize stylesheet URLs, allowing attackers to craft malicious emails with CSS links pointing to local network hosts.
Critical Impact
Attackers can exploit this vulnerability to perform Server-Side Request Forgery (SSRF) attacks or exfiltrate sensitive information by tricking the Roundcube server into making requests to internal network resources via maliciously crafted email stylesheet links.
Affected Products
- Roundcube Webmail versions 1.6.0 to 1.6.13
- Roundcube Webmail versions prior to 1.7-rc5
- Roundcube Webmail versions prior to 1.5.14
Discovery Timeline
- March 18, 2026 - Roundcube releases security patches in versions 1.7-rc5, 1.6.14, and 1.5.14
- April 3, 2026 - CVE-2026-35540 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35540
Vulnerability Analysis
This vulnerability stems from inadequate input validation in the CSS handling routines within Roundcube Webmail. When an HTML email contains <link> tags referencing external stylesheets, Roundcube processes these references to enable CSS styling of email content. However, the application fails to check whether stylesheet URLs resolve to internal or local network addresses before fetching them.
The vulnerable code path allows HTTP/HTTPS URLs without validating whether they point to private IP ranges (such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 127.0.0.0/8). This oversight enables attackers to craft emails with stylesheet links targeting internal infrastructure, cloud metadata endpoints, or other sensitive network resources accessible from the Roundcube server.
Root Cause
The root cause is classified as CWE-669 (Incorrect Resource Transfer Between Spheres). The application transfers control to fetch external resources without properly validating that the target URLs are safe to access. The original code only verified that the URL matched an HTTP/HTTPS pattern but did not check whether the destination was a local or internal network address.
Attack Vector
An attacker can exploit this vulnerability through the network by sending a specially crafted HTML email to a victim's mailbox. When the victim opens the email in Roundcube Webmail, the server-side CSS processing attempts to fetch the malicious stylesheet URL. Since no validation is performed against local network addresses, the Roundcube server makes the request on behalf of the attacker, potentially exposing internal services, cloud metadata APIs, or other sensitive resources.
The following patch demonstrates the security fix applied to address this vulnerability:
if (isset($attrib['href'])) {
$attrib['href'] = preg_replace('/[\\x00-\\x1F]/', '', $attrib['href']);
- if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) {
+ if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href']) && !rcube_utils::is_local_url($attrib['href'])) {
$tempurl = 'tmp-' . md5($attrib['href']) . '.css';
$_SESSION['modcssurls'][$tempurl] = $attrib['href'];
$attrib['href'] = $rcmail->url([
Source: Roundcube GitHub Commit
The fix introduces a new function rcube_utils::is_local_url() that validates URLs against local and private network ranges before allowing external stylesheet fetches. Additionally, the mlocati/ip-lib library was added as a dependency to provide robust IP address validation:
"guzzlehttp/promises": "^2.0",
"league/commonmark": "^2.7",
"masterminds/html5": "~2.9.0",
+ "mlocati/ip-lib": "^1.22.0",
"pear/auth_sasl": "~1.2.0",
"pear/crypt_gpg": "~1.6.3",
"pear/mail_mime": "~1.10.11",
Source: Roundcube GitHub Commit
Detection Methods for CVE-2026-35540
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests from the Roundcube server to internal IP addresses (e.g., 127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Email messages containing <link rel="stylesheet"> tags with URLs pointing to private network ranges or localhost
- Unexpected connections to cloud metadata endpoints such as 169.254.169.254 from the webmail server
- Log entries showing CSS fetch requests to internal hostnames or IP addresses not typically accessed
Detection Strategies
- Deploy network monitoring rules to alert on HTTP/HTTPS requests from webmail servers to RFC1918 private address ranges
- Implement web application firewall (WAF) rules to detect and block emails containing stylesheet links to internal network addresses
- Review Roundcube access logs for patterns indicating stylesheet requests to unusual or internal destinations
- Configure intrusion detection systems (IDS) to monitor for SSRF attack patterns targeting cloud metadata services
Monitoring Recommendations
- Enable verbose logging on the Roundcube server to capture all external resource fetch attempts
- Set up alerts for any outbound connections from the webmail server to private IP ranges
- Monitor for emails with suspicious CSS link patterns in your mail filtering infrastructure
- Implement egress filtering to restrict the Roundcube server from accessing internal network segments unnecessarily
How to Mitigate CVE-2026-35540
Immediate Actions Required
- Upgrade Roundcube Webmail to version 1.6.14, 1.5.14, or 1.7-rc5 immediately
- If immediate patching is not possible, disable external CSS loading in Roundcube configuration
- Review server logs for any evidence of exploitation attempts
- Implement network segmentation to limit what internal resources the webmail server can access
Patch Information
Roundcube has released security updates addressing this vulnerability. The fix introduces the rcube_utils::is_local_url() function that validates stylesheet URLs against local and private IP address ranges before fetching external resources. The patch also adds the mlocati/ip-lib library (version 1.22.0 or higher) as a dependency for robust IP address validation.
Patched versions are available:
- Roundcube 1.6.14
- Roundcube 1.7-rc5
- Roundcube 1.5.14 (for legacy installations)
For detailed patch information, see the Roundcube Security Update Announcement.
Workarounds
- Disable remote CSS loading by setting $config['allow_remote_resources'] = false; in your Roundcube configuration
- Implement network-level egress filtering to prevent the webmail server from making requests to internal IP ranges
- Deploy a reverse proxy or WAF to inspect and block suspicious stylesheet URLs in incoming emails
- Consider running Roundcube in an isolated network segment with limited access to internal resources
# Configuration example - Disable remote resources in Roundcube config
# Add to config/config.inc.php
# Disable loading of remote resources (images, stylesheets) in HTML messages
$config['allow_remote_resources'] = false;
# Alternatively, implement network-level restrictions via iptables
# Block outbound connections to private IP ranges from webmail server
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
