CVE-2026-0818 is a vulnerability in Mozilla Thunderbird versions prior to 147.0.1 and 140.7.1 that affects the handling of inline OpenPGP encrypted messages embedded within HTML and CSS formatted emails. When a user explicitly requests decryption of such an inline message, the decrypted content is rendered within the context of the outer email's CSS styles. If the user has also enabled loading of remote content referenced by the outer email, an attacker can craft a malicious email that uses CSS rules, fonts, and animations to exfiltrate the decrypted secret contents. This occurs because the decrypted plaintext is exposed to the styling and scripting context of the outer message, enabling side-channel style-based data extraction techniques. The vulnerability is classified under CWE-200 (Information Exposure), CWE-352 (Cross-Site Request Forgery), and CWE-116 (Improper Encoding or Escaping of Output). The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack can be performed remotely without privileges but requires user interaction (decrypting the message and allowing remote content). There is no impact on message integrity or availability, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of rendering decrypted content within unisolated styling contexts and the dangers of enabling remote content loading in email clients.

For European organizations, this vulnerability primarily threatens the confidentiality of sensitive email communications protected by OpenPGP in Thunderbird. If exploited, attackers could extract decrypted secret message contents, potentially exposing confidential business information, personal data, or intellectual property. This risk is heightened in sectors relying heavily on encrypted email, such as government, finance, legal, and healthcare. The vulnerability does not affect message integrity or availability, so operational disruption is unlikely. However, the confidentiality breach could lead to regulatory compliance issues under GDPR if personal data is exposed. Organizations that allow remote content loading by default or users who enable it increase their exposure. Since exploitation requires user interaction, targeted phishing campaigns could be used to trick users into decrypting malicious messages and enabling remote content, making spear-phishing a plausible attack vector. The medium severity score suggests moderate urgency but should not be underestimated given the sensitivity of encrypted communications.

European organizations should immediately update Mozilla Thunderbird to versions 147.0.1 or 140.7.1 or later where this vulnerability is patched. Until updates are applied, users should be advised to disable automatic loading of remote content in emails to prevent attackers from leveraging external CSS and fonts for data exfiltration. Additionally, users should be trained to avoid decrypting inline OpenPGP messages from untrusted or unexpected senders, especially if the email contains complex HTML or CSS styling. Email security policies should enforce strict controls on remote content loading and encourage the use of text-only email views when handling encrypted messages. Organizations may also consider deploying email gateway solutions that sanitize or block emails containing suspicious HTML/CSS content or inline encrypted messages from unknown sources. Monitoring for phishing attempts exploiting this vulnerability and raising user awareness about the risks of enabling remote content and decrypting suspicious messages are critical. Finally, reviewing and restricting OpenPGP usage policies to trusted correspondents can reduce exposure.