Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58451

CVE-2026-58451: Horde IMP Path Traversal Vulnerability

CVE-2026-58451 is a path traversal vulnerability in Horde IMP before 7.0.1 that allows attackers to read arbitrary server files through malicious img src URLs. This article covers technical details, exploitation methods, and mitigation.

Published:

CVE-2026-58451 Overview

CVE-2026-58451 is a path traversal vulnerability in Horde IMP webmail before version 7.0.1. The flaw resides in lib/Compose.php, where the HTML compose handler processes <img src> URLs pointing to the bundled CKEditor directory. The code uses stripos() to validate a URL prefix and then rebuilds a filesystem path with str_replace(), leaving any ../ traversal sequences intact. An authenticated attacker can craft a message containing an image tag whose src begins with the CKEditor prefix followed by traversal segments. When the message is sent, file_get_contents() reads arbitrary server files and embeds their contents as MIME parts in the outgoing email. Unauthenticated exploitation is possible through cross-site request forgery against an active session [CWE-22].

Critical Impact

Attackers can read arbitrary files readable by the webmail process, including configuration files with database credentials, and exfiltrate them by sending email.

Affected Products

  • Horde IMP webmail versions prior to 7.0.1
  • Horde Groupware installations bundling vulnerable IMP releases
  • Any deployment exposing the IMP HTML compose handler to authenticated users

Discovery Timeline

  • 2026-07-01 - CVE-2026-58451 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-58451

Vulnerability Analysis

The vulnerability lives in the HTML compose path of Horde IMP, where the application rewrites embedded CKEditor image URLs to their filesystem locations so image data can be attached to outgoing MIME messages. The original code called stripos($src, $js_path . '/ckeditor') === 0 to confirm the URL pointed at the CKEditor asset tree. It then invoked str_replace($js_path, $registry->get('jsfs', 'horde'), $src) to convert the URL to an on-disk path and passed the result to file_get_contents().

Because stripos() only checks that a prefix matches and str_replace() never normalizes the remainder of the string, an attacker can append ../ segments after the CKEditor prefix. The resulting filesystem path escapes the CKEditor directory and points anywhere the web server user can read. The file contents are then base64-encoded into a MIME part and mailed to the attacker.

Root Cause

The root cause is trusted prefix validation without canonicalization. The code accepted any URL beginning with /ckeditor and did not verify that the derived filesystem path stayed inside the CKEditor tree. No realpath() containment check or relative-filename regex existed on the tail of the URL.

Attack Vector

An authenticated Horde IMP user, or an unauthenticated attacker leveraging CSRF against a logged-in victim, submits a compose request containing an <img> tag such as <img src="/horde/js/ckeditor/../../../../etc/passwd">. The server treats the prefix as valid, reads the target file, and includes it in the sent message.

php
                  * the base ckeditor directory, so search for that and replace
                  * with the filesystem information if found (Request
                  * #13051). Need to ignore other image links that may have
-                 * been explicitly added by the user. */
+                 * been explicitly added by the user.
+                 *
+                 * SECURITY: the previous implementation trusted a stripos()
+                 * prefix check and rebuilt the filesystem path with
+                 * str_replace(), leaving any `../` sequences in the URL
+                 * intact. That let a crafted <img src> read arbitrary
+                 * server files via file_get_contents() and exfiltrate them
+                 * inside the outgoing MIME body. We now extract the tail
+                 * after `/ckeditor/`, reject anything that is not a plain
+                 * relative filename under the ckeditor tree, and require
+                 * realpath() containment before touching the file. */
                 $js_path = strval(Horde::url($registry->get('jsuri', 'horde'), true));
-                if (stripos($src, $js_path . '/ckeditor') === 0) {
-                    $file = str_replace(
-                        $js_path,
-                        $registry->get('jsfs', 'horde'),
-                        $src
+                $js_prefix = $js_path . '/ckeditor/';
+                if (stripos($src, $js_prefix) === 0) {
+                    $tail = substr($src, strlen($js_prefix));
+                    /* Drop any query string or fragment the browser may
+                     * have kept on the URL. */
+                    $tail = preg_replace('/[?#].*$/', '', $tail);
+                    $ckeditor_base = realpath(
+                        $registry->get('jsfs', 'horde') . '/ckeditor'
                     );

Source: GitHub Horde IMP Commit Update. The patch extracts the URL tail after /ckeditor/, strips query strings, and enforces realpath() containment before reading any file.

Detection Methods for CVE-2026-58451

Indicators of Compromise

  • Outgoing messages authored through Horde IMP that contain MIME parts referencing filesystem paths such as /etc/passwd, /proc/self/environ, or Horde configuration files
  • Web server access logs showing compose requests with img src values combining /ckeditor/ and ../ sequences
  • Unexpected outbound SMTP traffic to attacker-controlled addresses shortly after user logins to IMP

Detection Strategies

  • Inspect the IMP sentmail log and mail store for messages whose attachments correspond to sensitive server files
  • Alert on any HTTP request body submitted to imp/compose.php or the DIMP compose endpoint that contains the string ckeditor/.. or URL-encoded equivalents
  • Correlate PHP file_get_contents() errors in web server logs with the account of the submitting user

Monitoring Recommendations

  • Enable verbose logging on the Horde IMP compose action and forward logs to a centralized platform for retention and search
  • Monitor for reads of high-value files such as /etc/passwd, /etc/shadow, and horde/config/conf.php by the web server user
  • Track outbound email volume per user and flag anomalies that follow compose requests containing traversal patterns

How to Mitigate CVE-2026-58451

Immediate Actions Required

  • Upgrade Horde IMP to version 7.0.1 or later, which introduces the realpath() containment fix in lib/Compose.php
  • Rotate credentials and secrets that may have been exposed in configuration files readable by the web server user
  • Review sent-mail archives for messages containing exfiltrated server files and identify affected accounts

Patch Information

The fix is committed in fba972f and shipped in the Horde IMP v7.0.1 release. See the pull request and the VulnCheck advisory for additional detail. The patched code extracts the tail after /ckeditor/, rejects anything that is not a plain relative filename, and requires realpath() containment inside the CKEditor tree before calling file_get_contents().

Workarounds

  • Restrict access to the IMP compose endpoint at the reverse proxy level until patching is complete
  • Enforce anti-CSRF controls and same-site cookies on the Horde session to reduce unauthenticated exploitation via active sessions
  • Run the Horde web server process under a low-privilege account with no read access to secrets outside the application data directory
bash
# Verify installed IMP version and upgrade via PEAR/composer channel
pear list -c horde | grep -i imp
pear upgrade horde/imp-7.0.1

# Optional nginx location block to block traversal in compose requests
location ~* /imp/(dynamic|compose) {
    if ($request_body ~* "ckeditor/\.\.") { return 403; }
    proxy_pass http://horde_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.