CVE-2026-48845 Overview
CVE-2026-48845 is a medium-severity information disclosure vulnerability in Roundcube Webmail. The flaw affects versions 1.6.14 through 1.6.16 and all 1.7.x releases before 1.7.1. Roundcube failed to honor remote image blocking for URLs pointing to local or private destinations. An attacker can craft a text/html email containing references to internal endpoints, bypassing the remote resource policy. When a victim opens the message, Roundcube fetches the local URL, which can leak sensitive information or enable privilege escalation. The issue is tracked under [CWE-669: Incorrect Resource Transfer Between Spheres].
Critical Impact
A crafted HTML email can cause Roundcube to fetch attacker-chosen local or private URLs, leading to information disclosure or privilege escalation against internal services.
Affected Products
- Roundcube Webmail 1.6.14 through 1.6.16
- Roundcube Webmail 1.7.x prior to 1.7.1
- Self-hosted Roundcube deployments with default allow_remote disabled
Discovery Timeline
- 2026-05-24 - Roundcube releases security updates 1.6.16 and 1.7.1
- 2026-05-25 - CVE-2026-48845 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-48845
Vulnerability Analysis
Roundcube sanitizes HTML email content through rcube_washtml.php before rendering. When allow_remote is disabled, the washer is expected to strip or block external references in images, stylesheets, and other resources. The logic incorrectly granted an exception for URLs classified as local by rcube_utils::is_local_url($uri). This exception was intended to permit references to the Roundcube instance itself but allowed any URL the server treats as local or private to pass through unfiltered.
An attacker can embed an <img> tag pointing to internal services such as http://127.0.0.1:9200/, http://169.254.169.254/, or other private-range hosts. When the victim views the email, the server-side or client-side fetch reaches the internal endpoint. Depending on the response handling, response data, headers, or differential timing can be observed, enabling reconnaissance of internal infrastructure or interaction with unauthenticated management interfaces.
Root Cause
The root cause is an over-broad allow condition in the URL filter. The pre-patch check returned the URI when either remote content was allowed or the URL was deemed local. The local exception bypassed the user's choice to block remote content, creating a server-side request forgery-style primitive through trusted email rendering.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond opening an HTML email. An attacker sends a text/html message containing references to local or private URLs. Roundcube processes the message and dereferences the URLs against the configured policy.
// Patch in program/lib/Roundcube/rcube_washtml.php
// Source: https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556
if (preg_match('/^(http|https|ftp):.+/i', $uri)) {
- if (!empty($this->config['allow_remote']) || rcube_utils::is_local_url($uri)) {
+ if (!empty($this->config['allow_remote'])) {
return $uri;
}
The fix removes the is_local_url($uri) exception, ensuring that when allow_remote is false no http, https, or ftp URI passes the filter.
Detection Methods for CVE-2026-48845
Indicators of Compromise
- Outbound HTTP, HTTPS, or FTP requests from the Roundcube host targeting loopback addresses, RFC1918 ranges, or cloud metadata endpoints such as 169.254.169.254.
- Web server access logs showing image or resource fetches initiated during message rendering with destinations on internal infrastructure.
- Inbound email messages whose HTML body contains <img>, <link>, or CSS url() references to private IP ranges or internal hostnames.
Detection Strategies
- Inspect mail bodies at the gateway for text/html messages referencing private-range or loopback URLs in image and resource tags.
- Correlate Roundcube imageproxy or PHP outbound connections with the user account opening a message at the same timestamp.
- Run the installed Roundcube version against affected ranges 1.6.14 to 1.6.16 and 1.7.0 to confirm exposure.
Monitoring Recommendations
- Alert on any egress from the webmail server to internal management ports such as 22, 2375, 6379, 8500, 9200, and 169.254.169.254.
- Enable verbose logging in Roundcube and monitor rcube_washtml warnings tied to blocked URLs.
- Forward webmail and proxy logs to a centralized analytics platform for cross-source correlation.
How to Mitigate CVE-2026-48845
Immediate Actions Required
- Upgrade Roundcube Webmail to 1.6.17 or later on the 1.6.x branch, or to 1.7.1 or later on the 1.7.x branch.
- Restrict egress from the Roundcube host so it cannot reach internal management interfaces or cloud metadata services.
- Audit mail logs and access logs for evidence of crafted HTML messages referencing internal URLs prior to patching.
Patch Information
Upstream fixes are available in Roundcube 1.6.16 and Roundcube 1.7.1. The code changes are documented in the washtml URL filter commit and the companion commit. See the Roundcube security updates announcement for vendor guidance.
Workarounds
- Apply the upstream rcube_washtml.php patch removing the is_local_url exception to existing 1.6.14 through 1.6.16 and 1.7.0 installations until an upgrade is possible.
- Place Roundcube behind an egress proxy that blocks connections to RFC1918, loopback, and link-local destinations.
- Disable HTML rendering of remote resources at the organizational policy level and require users to opt in per message.
# Verify installed Roundcube version and confirm patched release
grep RCMAIL_VERSION /var/www/roundcube/program/include/iniset.php
# Example nftables rule blocking webmail egress to private ranges
nft add rule inet filter output \
ip daddr { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } \
meta skuid www-data drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
