CVE-2026-9818
Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-9818 has been rejected by its CNA; no vulnerability details are applicable.
Vulnerability
This CVE identifier has been rejected or withdrawn by its CVE Numbering Authority. No vulnerability is associated with this ID.
Exploitation
Not applicable, as the CVE was rejected.
Impact
Not applicable, as the CVE was rejected.
Mitigation
Not applicable, as the CVE was rejected.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
27b52353653a6Fix local/private URL fetch bypass when remote resources were not allowed
3 files changed · +3 −1
CHANGELOG.md+1 −0 modified@@ -8,6 +8,7 @@ - Security: Fix pre-auth SQL injection in `virtuser_query` plugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs - Security: Fix bypass of remote image blocking via CSS var() +- Security: Fix local/private URL fetch bypass when remote resources were not allowed ## Release 1.6.15
program/lib/Roundcube/rcube_washtml.php+1 −1 modified@@ -399,7 +399,7 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true) } if (preg_match('/^(http|https|ftp):.+/i', $uri)) { - if (!empty($this->config['allow_remote']) || rcube_utils::is_local_url($uri)) { + if (!empty($this->config['allow_remote'])) { return $uri; }
tests/Framework/Washtml.php+1 −0 modified@@ -712,6 +712,7 @@ function test_extlinks() ['<link href="http://TRACKING_URL/">', true], ['<link href="src:abc">', false], ['<img src="http://TRACKING_URL/">', true], + ['<img src="http://127.0.0.1">', true], ['<img src="data:image">', false], ['<p style="backgr\ound-image: \ur\l(\'http://TRACKING_URL\')"></p>', true], ['<p style="background-image: var(--x, url(http://evil.com/1.gif))"></p>', true],
faf867432f51Fix local/private URL fetch bypass when remote resources were not allowed
3 files changed · +3 −1
CHANGELOG.md+1 −0 modified@@ -20,6 +20,7 @@ This file includes only changes we consider noteworthy for users, admins and plu - Security: Fix pre-auth SQL injection in `virtuser_query` plugin via preg_replace backslash escape bypass - Security: Fix SSRF bypass via specific local address URLs - Security: Fix bypass of remote image blocking via CSS var() +- Security: Fix local/private URL fetch bypass when remote resources were not allowed ## Release 1.7.0
program/lib/Roundcube/rcube_washtml.php+1 −1 modified@@ -389,7 +389,7 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true) } if (preg_match('/^(http|https|ftp):.+/i', $uri)) { - if (!empty($this->config['allow_remote']) || rcube_utils::is_local_url($uri)) { + if (!empty($this->config['allow_remote'])) { return $uri; }
tests/Framework/WashtmlTest.php+1 −0 modified@@ -717,6 +717,7 @@ public function test_extlinks() ['<link href="http://TRACKING_URL/">', true], ['<link href="src:abc">', false], ['<img src="http://TRACKING_URL/">', true], + ['<img src="http://127.0.0.1">', true], ['<img src="data:image">', false], ['<p style="backgr\ound-image: \ur\l(\'http://TRACKING_URL\')"></p>', true], ['<p style="background-image: var(--x, url(http://evil.com/1.gif))"></p>', true],
Vulnerability mechanics
Root cause
"The `wash_uri()` method in `rcube_washtml.php` allowed local/private URLs to bypass the remote-content block by checking `rcube_utils::is_local_url()` as an alternative to the `allow_remote` configuration flag."
Attack vector
A remote attacker sends an HTML email containing an `<img>`, `<link>`, or other element whose `src` or `href` points to a local/private IP address (e.g., `http://127.0.0.1`). When the victim opens the message preview in Roundcube, the HTML sanitizer (`wash_uri`) previously allowed such URLs through because the `rcube_utils::is_local_url()` check returned true, even though remote content loading was disabled [patch_id=2916234][patch_id=2916233]. The victim's browser then issues requests to those local or private-network services, enabling SSRF-style probing of internal resources [ref_id=1].
Affected code
The vulnerability resides in the `wash_uri()` method of `program/lib/Roundcube/rcube_washtml.php` [patch_id=2916234][patch_id=2916233]. The method previously allowed loopback, localhost, RFC1918, link-local, and ULA URLs to pass through even when the `allow_remote` configuration option was disabled, by checking `rcube_utils::is_local_url($uri)` as an alternative condition.
What the fix does
The patch removes the `|| rcube_utils::is_local_url($uri)` condition from the `if` statement in `wash_uri()`, so that only the `!empty($this->config['allow_remote'])` check controls whether a URL is returned [patch_id=2916234][patch_id=2916233]. This means local/private URLs are now blocked when remote resources are not allowed, closing the bypass. The test suite was updated to confirm that `<img src="http://127.0.0.1">` is now treated as a blocked URL [patch_id=2916234][patch_id=2916233].
Preconditions
- configThe victim must use Roundcube with remote content loading disabled (the default or explicitly configured).
- inputThe attacker must be able to send an HTML email to the victim that is rendered by Roundcube.
- inputThe victim must open or preview the malicious email in Roundcube's web interface.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.