CVE-2026-35545 Overview
A security bypass vulnerability has been discovered in Roundcube Webmail that allows attackers to circumvent the remote image blocking feature through specially crafted SVG content embedded in email messages. The vulnerability exists in how Roundcube's HTML sanitizer (rcube_washtml.php) processes SVG animate elements, specifically failing to block certain SVG attributes (fill, filter, stroke) that can reference external URLs via FuncIRI values.
When a user views a malicious email containing crafted SVG content, the remote image blocking protection can be bypassed, potentially leading to information disclosure or access-control bypass. This could allow attackers to track email opens, harvest IP addresses, or load external malicious content.
Critical Impact
Remote image blocking bypass enables email tracking, information disclosure, and potential access control circumvention through malicious SVG animate elements in email messages.
Affected Products
- Roundcube Webmail versions before 1.5.15
- Roundcube Webmail versions before 1.6.15
- Roundcube Webmail versions before 1.7-rc6
Discovery Timeline
- 2026-03-29 - Roundcube releases security updates (versions 1.5.15, 1.6.15, and 1.7-rc6)
- 2026-04-03 - CVE-2026-35545 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35545
Vulnerability Analysis
This vulnerability represents an authorization bypass in Roundcube Webmail's remote image blocking feature. The HTML sanitizer component (rcube_washtml.php) is designed to prevent remote images from loading when users view emails, protecting against tracking pixels and external content loading. However, the implementation contained an incomplete check for SVG animate elements that use FuncIRI (Functional IRI) attributes.
The original sanitizer only blocked animate elements using mask and cursor attributes with URL values, but failed to account for other SVG presentation attributes that can also reference external resources. Attackers could exploit this by embedding SVG content that uses fill, filter, stroke, clip-path, marker-start, marker-end, or marker-mid attributes with external URL references, effectively bypassing the remote image blocking protection.
Root Cause
The root cause lies in an incomplete regular expression pattern used to identify dangerous SVG animate element attributes. The original code only checked for mask and cursor attributes when validating SVG animate elements for external URL references. This oversight allowed other SVG FuncIRI attributes (fill, filter, stroke, clip-path, and marker attributes) to pass through the sanitizer unchecked, enabling external resource loading despite remote image blocking being enabled.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted email containing SVG content with animate elements. The animate element can be configured with attributeName set to one of the bypassed attributes (such as fill, filter, or stroke) and a values attribute containing a url() reference to an external resource. When the victim opens the email in Roundcube Webmail with remote image blocking enabled, the SVG animate element triggers a request to the attacker-controlled URL, bypassing the intended security protection.
The attack requires network access and no authentication, as the malicious payload is delivered via email. User interaction is required only to the extent that the victim must view the email in Roundcube Webmail.
// Security patch for rcube_washtml.php
// Before (vulnerable):
return self::attribute_value($node, 'attributeName', '/^(mask|cursor)$/i')
&& self::attribute_value($node, 'values', '/url\\(/i');
// After (patched):
$rx = '/^(mask|cursor|fill|filter|stroke|clip-path|marker-start|marker-end|marker-mid)$/i';
return self::attribute_value($node, 'attributeName', $rx)
&& self::attribute_value($node, 'values', '/url\\(/i');
Source: Roundcube GitHub Commit
Detection Methods for CVE-2026-35545
Indicators of Compromise
- Unexpected outbound network requests from the Roundcube webmail server when users view emails
- Email messages containing SVG elements with animate tags and FuncIRI attributes referencing external URLs
- Web server logs showing requests triggered by SVG URL references in email content
Detection Strategies
- Monitor email content for SVG elements containing <animate> tags with attributeName values of fill, filter, stroke, clip-path, or marker attributes combined with url() references
- Implement network egress monitoring for unexpected outbound connections from the Roundcube server
- Review email security gateway logs for messages containing suspicious SVG payloads
Monitoring Recommendations
- Enable verbose logging on Roundcube Webmail servers to capture content rendering events
- Configure web application firewalls to inspect and log SVG content in inbound emails
- Monitor for unusual patterns of external resource requests correlated with email viewing activity
How to Mitigate CVE-2026-35545
Immediate Actions Required
- Upgrade Roundcube Webmail to version 1.5.15, 1.6.15, or 1.7-rc6 immediately
- Audit email logs for any evidence of exploitation attempts using malicious SVG content
- Consider temporarily disabling SVG rendering in emails if immediate patching is not possible
Patch Information
Roundcube has released patched versions that address this vulnerability by expanding the regular expression pattern to include additional FuncIRI attributes. The fix has been applied to the rcube_washtml.php file across three version branches:
- Version 1.5.15: Release Notes
- Version 1.6.15: Release Notes
- Version 1.7-rc6: Release Notes
For detailed patch information, refer to the Roundcube Security Updates Announcement.
Workarounds
- If patching is not immediately possible, consider configuring email content policies to strip or block SVG elements from incoming emails
- Implement content security policies (CSP) on the Roundcube server to restrict outbound requests
- Educate users about the risks of viewing emails from untrusted sources until patches are applied
# Example: Update Roundcube via Composer
cd /var/www/roundcube
composer update roundcube/roundcubemail
# Or download the latest release from GitHub
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.15/roundcubemail-1.6.15-complete.tar.gz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
