CVE-2026-48846 Overview
CVE-2026-48846 affects Roundcube Webmail versions 1.6.x before 1.6.16 and 1.7.x before 1.7.1. The vulnerability allows attackers to bypass the remote image blocking feature using a crafted CSS var() value embedded in an e-mail message. Successful exploitation can lead to information disclosure or access-control bypass [CWE-669: Incorrect Resource Transfer Between Spheres].
Roundcube is a widely deployed open-source IMAP webmail client used by hosting providers, universities, and enterprises. The flaw weakens privacy protections that prevent senders from tracking recipients through remote content loading.
Critical Impact
Attackers can exfiltrate recipient metadata (IP address, user-agent, message-open status) by abusing CSS parsing to load attacker-controlled remote resources without user consent.
Affected Products
- Roundcube Webmail 1.6.x prior to 1.6.16
- Roundcube Webmail 1.7.x prior to 1.7.1
- Deployments using the default HTML message rendering configuration
Discovery Timeline
- 2026-05-24 - Roundcube releases security updates 1.6.16 and 1.7.1
- 2026-05-25 - CVE-2026-48846 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-48846
Vulnerability Analysis
The vulnerability resides in the CSS sanitization routine within program/lib/Roundcube/rcube_utils.php. Roundcube parses inline CSS in HTML e-mails to strip references to remote resources such as background images. The original regular expression only matched a url(...) token at the start of a CSS property value, anchored with ^url\s*\(. Attackers can sidestep the filter by wrapping the url() call inside a CSS var() reference or other property construct so that url( does not appear at the beginning of the value.
When the renderer later resolves the CSS variable, the browser fetches the remote URL, defeating the remote image blocking control. This exposes the recipient's IP address, mail client fingerprint, and the fact that the message was opened.
Root Cause
The root cause is an incomplete input validation regex. The anchored pattern ^url\s*\( failed to detect url() tokens appearing anywhere other than the start of the value. A single CSS property can also contain multiple url() tokens, none of which were sanitized after the first match.
Attack Vector
Exploitation requires no authentication and no user interaction beyond opening or previewing an HTML e-mail. The attacker sends a crafted message containing CSS that hides a url() call behind a var() reference. When Roundcube renders the message, the bypass loads remote content from attacker-controlled infrastructure.
} else {
$value = '';
foreach (self::explode_css_property_block($rule[1]) as $val) {
- if ($url_callback && preg_match('/^url\s*\(/i', $val)) {
- if (preg_match('/^url\s*\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) {
- if ($url = $url_callback($match[1])) {
- $value .= ' url(' . $url . ')';
+ if ($url_callback && preg_match('/\burl\s*\(/i', $val)) {
+ if (preg_match_all('/(\b)url\s*\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $matches)) {
+ foreach ($matches[2] as $idx => $url) {
+ if ($url = $url_callback($url)) {
+ $val = str_replace($matches[0][$idx], $matches[1][$idx] . "url({$url})", $val);
+ } else {
+ $val = '';
+ }
+ }
+ if (strlen($val)) {
+ $value .= ' ' . $val;
}
}
} elseif (preg_match('/;.+/', $val)) {
Source: Roundcube Commit 59cca80. The patch replaces the anchored regex with \b word-boundary matching and uses preg_match_all to sanitize every url() token in the property value.
Detection Methods for CVE-2026-48846
Indicators of Compromise
- Inbound HTML e-mails containing CSS var() declarations that wrap url() references
- Outbound HTTP/HTTPS requests from webmail servers or clients to unrecognized domains immediately after a user opens a message
- Roundcube access logs showing message previews followed by unusual referrer activity
Detection Strategies
- Inspect e-mail bodies at the gateway for CSS patterns combining var(-- with url( substrings in <style> blocks or inline style= attributes
- Compare rendered message metadata against expected remote-image-block policy to identify silent fetches
- Correlate Roundcube version banners with the patched releases 1.6.16 and 1.7.1 to identify exposed instances
Monitoring Recommendations
- Enable verbose logging on the mail proxy or content security policy (CSP) reporting endpoints for blocked or anomalous resource loads
- Monitor DNS queries from webmail infrastructure for newly registered or low-reputation domains referenced by HTML messages
- Track Roundcube release versions across hosted tenants and flag any instance running below 1.6.16 or 1.7.1
How to Mitigate CVE-2026-48846
Immediate Actions Required
- Upgrade Roundcube Webmail to version 1.6.16 or 1.7.1 as published in the Roundcube Security Updates Announcement
- Audit all hosted or self-managed Roundcube instances for affected versions
- Re-validate that the remote image blocking setting is enforced after upgrade
Patch Information
The upstream fix is delivered in Roundcube Release 1.6.16 and Roundcube Release 1.7.1. The relevant code changes are tracked in commit 59cca80 and commit 8523504, which rewrite the CSS url() sanitizer to handle multiple and non-anchored occurrences.
Workarounds
- Disable HTML rendering of e-mail messages and force plaintext view until the patch is applied
- Deploy a Content Security Policy (CSP) on the webmail virtual host that restricts img-src and style-src to first-party origins
- Use an upstream e-mail gateway to strip <style> blocks and inline style= attributes containing var( references
# Verify the installed Roundcube version on a Linux host
grep RCMAIL_VERSION /var/www/roundcube/program/include/iniset.php
# Upgrade using the official tarball
wget https://github.com/roundcube/roundcubemail/releases/download/1.6.16/roundcubemail-1.6.16-complete.tar.gz
tar -xzf roundcubemail-1.6.16-complete.tar.gz
cd roundcubemail-1.6.16
bin/installto.sh /var/www/roundcube
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
