VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

CVE-2026-48845

CVE-2026-48845

Description

In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roundcube Webmail fails to block remote images pointing to local/private URLs, potentially enabling SSRF and information disclosure.

Vulnerability

In Roundcube Webmail 1.6.x from 1.6.14 up to and including 1.6.16, and 1.7.x before 1.7.1, the remote image blocking mechanism is bypassed for URLs pointing to local/private destinations. The code in wash_uri() previously used a condition that allowed the fetch if rcube_utils::is_local_url($uri) returned true, even when the allow_remote configuration was disabled. This flaw is fixed by removing the local URL exception [1][2][4].

Exploitation

An attacker can send a specially crafted text/html email message containing an ` tag or other resource reference that uses a URL pointing to a local or private address (e.g., http://127.0.0.1`). No authentication or special privileges are required beyond the ability to send an HTML email to a victim using a vulnerable Roundcube instance. The blocking logic is evaluated during message rendering, so the victim simply needs to view the email [1][2][3][4].

Impact

Successful exploitation allows the attacker to trigger requests from the Roundcube server to internal or private network resources, potentially leading to Server-Side Request Forgery (SSRF) and information disclosure of internal services. Depending on the accessible local hosts and services, this could also facilitate privilege escalation [1][2][3].

Mitigation

Users should upgrade to Roundcube Webmail 1.7.1 or 1.6.16 (for LTS 1.6.x), both released on May 24, 2026. These versions remove the local URL bypass in the wash_uri() function. No workaround is available for unpatched installations, and upgrading is strongly recommended by the vendor [1][2][3].

References
  1. Release Roundcube Webmail 1.7.1 · roundcube/roundcubemail
  2. Release Roundcube Webmail 1.6.16 · roundcube/roundcubemail
  3. Security updates 1.6.16 and 1.7.1 released
  4. Fix local/private URL fetch bypass when remote resources were not all… · roundcube/roundcubemail@d82b8c6

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roundcube/Webmailinferred2 versions
    >=1.6.14,<1.6.17 || >=1.7.0,<1.7.1+ 1 more
    • (no CPE)range: >=1.6.14,<1.6.17 || >=1.7.0,<1.7.1
    • (no CPE)range: >=1.6.14, <=1.6.16 || >=1.7.0, <1.7.1

Patches

2
7b52353653a6

Fix local/private URL fetch bypass when remote resources were not allowed

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref
commit
3 files changed · +3 1
  • CHANGELOG.md+1 0 modified
    @@ -8,6 +8,7 @@
 - Security: Fix pre-auth SQL injection in `virtuser_query` plugin via preg_replace backslash escape bypass
 - Security: Fix SSRF bypass via specific local address URLs
 - Security: Fix bypass of remote image blocking via CSS var()
+- Security: Fix local/private URL fetch bypass when remote resources were not allowed
 
 ## Release 1.6.15
  • program/lib/Roundcube/rcube_washtml.php+1 1 modified
    @@ -399,7 +399,7 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
         }
 
         if (preg_match('/^(http|https|ftp):.+/i', $uri)) {
-            if (!empty($this->config['allow_remote']) || rcube_utils::is_local_url($uri)) {
+            if (!empty($this->config['allow_remote'])) {
                 return $uri;
             }
  • tests/Framework/Washtml.php+1 0 modified
    @@ -712,6 +712,7 @@ function test_extlinks()
             ['<link href="http://TRACKING_URL/">', true],
             ['<link href="src:abc">', false],
             ['<img src="http://TRACKING_URL/">', true],
+            ['<img src="http://127.0.0.1">', true],
             ['<img src="data:image">', false],
             ['<p style="backgr\ound-image: \ur\l(\'http://TRACKING_URL\')"></p>', true],
             ['<p style="background-image: var(--x, url(http://evil.com/1.gif))"></p>', true],
d82b8c6cd06c

Fix local/private URL fetch bypass when remote resources were not allowed

https://github.com/roundcube/roundcubemailAleksander MachniakMay 24, 2026via nvd-ref
commit
3 files changed · +3 1
  • CHANGELOG.md+1 0 modified
    @@ -19,6 +19,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix pre-auth SQL injection in `virtuser_query` plugin via preg_replace backslash escape bypass
 - Security: Fix SSRF bypass via specific local address URLs
 - Security: Fix bypass of remote image blocking via CSS var()
+- Security: Fix local/private URL fetch bypass when remote resources were not allowed
 
 ## Release 1.7.0
  • program/lib/Roundcube/rcube_washtml.php+1 1 modified
    @@ -389,7 +389,7 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
         }
 
         if (preg_match('/^(http|https|ftp):.+/i', $uri)) {
-            if (!empty($this->config['allow_remote']) || rcube_utils::is_local_url($uri)) {
+            if (!empty($this->config['allow_remote'])) {
                 return $uri;
             }
  • tests/Framework/WashtmlTest.php+1 0 modified
    @@ -717,6 +717,7 @@ public function test_extlinks()
             ['<link href="http://TRACKING_URL/">', true],
             ['<link href="src:abc">', false],
             ['<img src="http://TRACKING_URL/">', true],
+            ['<img src="http://127.0.0.1">', true],
             ['<img src="data:image">', false],
             ['<p style="backgr\ound-image: \ur\l(\'http://TRACKING_URL\')"></p>', true],
             ['<p style="background-image: var(--x, url(http://evil.com/1.gif))"></p>', true],

Vulnerability mechanics

Root cause

"The `wash_uri` method allowed local/private URLs to bypass remote resource blocking because it checked `rcube_utils::is_local_url($uri)` as an alternative condition to `allow_remote`."

Attack vector

An attacker sends a text/html email containing an `

Affected code

The vulnerability resides in the `wash_uri` method of `program/lib/Roundcube/rcube_washtml.php`. The conditional check at line 392 allowed URLs to pass through if `rcube_utils::is_local_url($uri)` returned true, even when remote resources were not allowed [patch_id=2473667][patch_id=2473668].

What the fix does

Both patches remove the `|| rcube_utils::is_local_url($uri)` clause from the condition in `wash_uri`, so that local/private URLs are no longer an exception to remote resource blocking [patch_id=2473667][patch_id=2473668]. The test suite was updated to assert that `

Preconditions

  • configThe Roundcube instance must have remote resource blocking enabled (allow_remote not set to true).
  • inputThe attacker must be able to send a text/html email message to the victim.
  • authThe victim must view the email in Roundcube with HTML rendering enabled.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.