Researchers discovered a critical vulnerability in Roundcube Webmail that allows attackers to bypass image blocking settings and track email opens through SVG feImage elements.
Roundcube Webmail, one of the most popular open-source webmail clients, has addressed a significant security vulnerability that could have allowed attackers to track email recipients even when they had remote image blocking enabled. The issue, identified in versions prior to 1.5.13 and 1.6.13, centered around improper handling of SVG feImage elements, creating a loophole in the application's content sanitization process.
The vulnerability stems from how Roundcube's rcube_washtml sanitizer processes different HTML and SVG elements. When the "Block remote images" setting is enabled, the sanitizer intercepts image-bearing attributes like src on tags and href on and tags, running them through a function that blocks external URLs. However, researchers discovered that elements were handled differently.
The element in SVG is used to load images into a document, similar to how elements work in HTML. When an SVG containing a feImage element with an external href is processed, the sanitizer incorrectly routes it through the link-handling function rather than the image-handling function. This allows the external URL to pass through unblocked, defeating the purpose of the remote image blocking feature.
The technical details reveal a nuanced issue in the sanitizer's attribute processing logic. In the wash_attribs() function, each attribute goes through a series of checks. The first matching check determines how the attribute is processed. For image attributes, the sanitizer applies stricter blocking rules, while link attributes are allowed to pass through HTTP/HTTPS URLs.
The vulnerability existed because is_image_attribute() only explicitly checked for href attributes on and elements, but not on elements. Meanwhile, is_link_attribute() acted as a catch-all for any href attribute, causing the sanitizer to incorrectly classify feImage hrefs as links rather than images.
This oversight could be exploited by sending specially crafted emails containing invisible SVG elements with feImage tags pointing to attacker-controlled servers. When the recipient opened the email, their email client would load the external image, revealing their IP address and confirming that they had opened the message. This effectively turned the email into a tracking beacon, bypassing the user's privacy preferences.
The proof of concept demonstrates how an attacker could create a minimal SVG that positions a 1x1 pixel feImage element off-screen, making it invisible to the user while still triggering an HTTP request to the attacker's server. The request could include identifying information about the recipient, such as their email address.
The impact of this vulnerability extends beyond simple email tracking. Attackers could potentially combine this technique with other exploits to deliver more sophisticated attacks. The ability to confirm email opens could also be valuable for phishing campaigns, allowing attackers to refine their targeting and improve the effectiveness of their malicious content.
Roundcube addressed this issue in versions 1.5.13 and 1.6.13, released on February 8, 2026. The fix involved modifying the is_image_attribute() function to include elements in its regex pattern, ensuring that href attributes on these elements are properly treated as image attributes and subject to the same blocking rules as other image elements. You can find the official Roundcube announcement for more details.
The vulnerability was reported to Roundcube on January 4, 2026, with the patches developed and released approximately one month later. This relatively quick response demonstrates the importance of prompt security updates in web applications that handle sensitive communications.
For users running affected versions of Roundcube, upgrading to the latest releases is strongly recommended. The vulnerability affects both the 1.5.x and 1.6.x release branches, making it crucial for administrators to verify their current version and apply the necessary updates. You can download the latest versions from the Roundcube website.
This discovery highlights the complexity of properly securing web applications that process user-generated content, particularly when dealing with complex formats like SVG that contain multiple elements and attributes with similar but distinct functions. The interplay between different sanitization rules can create unexpected vulnerabilities that require careful analysis and thorough testing.
As webmail clients continue to evolve and support increasingly rich content, security researchers and developers must remain vigilant in identifying and addressing these nuanced issues that could compromise user privacy and security.
Comments
Please log in or register to join the discussion