CVE-2025-26696: Vulnerability in Mozilla Thunderbird
Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
AI Analysis
Technical Summary
The vulnerability CVE-2025-26696 in Mozilla Thunderbird involves the incorrect display of certain crafted MIME email messages. Specifically, messages that claimed to contain encrypted OpenPGP content but actually contained signed OpenPGP content were shown as encrypted, potentially misleading users about message confidentiality. This flaw was addressed and fixed in Thunderbird 136 and Thunderbird ESR 128.8. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L) reflects a network attack vector with high confidentiality impact, low integrity and availability impacts, and requires high attack complexity without privileges or user interaction. Mozilla's official advisories (MFSA2025-17 and MFSA2025-18) confirm the fix and provide additional context on related vulnerabilities fixed in these releases.
Potential Impact
The primary impact of CVE-2025-26696 is the incorrect indication that an email message is encrypted when it is not, potentially causing users to mistakenly believe their communication is confidential when it is only signed. This could lead to disclosure of sensitive information if users rely on the encryption indicator for security decisions. The CVSS score of 7.0 indicates a high severity impact on confidentiality, with lesser impacts on integrity and availability. There are no known exploits in the wild. The vulnerability does not allow direct code execution or privilege escalation but affects user trust in message security.
Mitigation Recommendations
This vulnerability has been fixed in Mozilla Thunderbird versions 136 and ESR 128.8. Users and administrators should upgrade to these versions or later to remediate the issue. The vendor advisories explicitly confirm the availability of these fixes. No additional mitigation steps are required beyond applying the official updates. Since scripting is disabled when reading mail, exploitation through email is limited. Verify that Thunderbird installations are updated to at least version 136 or 128.8 ESR to ensure protection.
CVE-2025-26696: Vulnerability in Mozilla Thunderbird
Description
Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-26696 in Mozilla Thunderbird involves the incorrect display of certain crafted MIME email messages. Specifically, messages that claimed to contain encrypted OpenPGP content but actually contained signed OpenPGP content were shown as encrypted, potentially misleading users about message confidentiality. This flaw was addressed and fixed in Thunderbird 136 and Thunderbird ESR 128.8. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L) reflects a network attack vector with high confidentiality impact, low integrity and availability impacts, and requires high attack complexity without privileges or user interaction. Mozilla's official advisories (MFSA2025-17 and MFSA2025-18) confirm the fix and provide additional context on related vulnerabilities fixed in these releases.
Potential Impact
The primary impact of CVE-2025-26696 is the incorrect indication that an email message is encrypted when it is not, potentially causing users to mistakenly believe their communication is confidential when it is only signed. This could lead to disclosure of sensitive information if users rely on the encryption indicator for security decisions. The CVSS score of 7.0 indicates a high severity impact on confidentiality, with lesser impacts on integrity and availability. There are no known exploits in the wild. The vulnerability does not allow direct code execution or privilege escalation but affects user trust in message security.
Mitigation Recommendations
This vulnerability has been fixed in Mozilla Thunderbird versions 136 and ESR 128.8. Users and administrators should upgrade to these versions or later to remediate the issue. The vendor advisories explicitly confirm the availability of these fixes. No additional mitigation steps are required beyond applying the official updates. Since scripting is disabled when reading mail, exploitation through email is limited. Verify that Thunderbird installations are updated to at least version 136 or 128.8 ESR to ensure protection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-02-13T22:03:43.233Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.mozilla.org/security/advisories/mfsa2025-17/","vendor":"Mozilla"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-18/","vendor":"Mozilla"}]
Threat ID: 69dd057782d89c981f017294
Added to database: 4/13/2026, 3:02:15 PM
Last enriched: 4/13/2026, 3:16:58 PM
Last updated: 4/14/2026, 6:05:20 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.