CVE-2026-48846: CWE-669 Incorrect Resource Transfer Between Spheres in Roundcube Webmail
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
AI Analysis
Technical Summary
This vulnerability affects Roundcube Webmail versions prior to 1.6.16 and 1.7.1. The issue arises because the remote image blocking feature can be circumvented by embedding a specially crafted CSS var() value within an email message. This bypass may enable attackers to disclose information or bypass access controls that rely on remote image blocking. The CVSS 3.1 base score is 6.5, indicating a medium severity level. No vendor advisory or patch information is currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation could lead to limited information disclosure or bypass of access controls related to remote image blocking in affected Roundcube Webmail versions. This could undermine privacy protections intended to prevent remote content from loading automatically in emails.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider additional email filtering or disabling remote content rendering where possible. Monitor official Roundcube channels for updates.
CVE-2026-48846: CWE-669 Incorrect Resource Transfer Between Spheres in Roundcube Webmail
Description
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Roundcube Webmail versions prior to 1.6.16 and 1.7.1. The issue arises because the remote image blocking feature can be circumvented by embedding a specially crafted CSS var() value within an email message. This bypass may enable attackers to disclose information or bypass access controls that rely on remote image blocking. The CVSS 3.1 base score is 6.5, indicating a medium severity level. No vendor advisory or patch information is currently available, and the product is not a cloud service.
Potential Impact
Successful exploitation could lead to limited information disclosure or bypass of access controls related to remote image blocking in affected Roundcube Webmail versions. This could undermine privacy protections intended to prevent remote content from loading automatically in emails.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider additional email filtering or disabling remote content rendering where possible. Monitor official Roundcube channels for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-25T19:21:09.220Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a14a590a5ae1af1aae00324
Added to database: 5/25/2026, 7:40:00 PM
Last enriched: 5/25/2026, 7:55:33 PM
Last updated: 5/26/2026, 7:53:57 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.