Roundcube Webmail Flaw Lets Attackers Track Email Vulnerability Opens

Roundcube, a leading open-source webmail solution, has pushed out critical security updates. These updates resolve a privacy bypass vulnerability.

The flaw detailed by NULL CATHEDRAL allowed attackers to load remote images and track email opens, even when users had explicitly configured their settings to “Block remote images.”

The vulnerability affects Roundcube Webmail versions prior to 1.5.13 and all 1.6.x versions prior to 1.6.13. The maintainers have released versions 1.5.13 and 1.6.13 to patch the issue, which was publicly disclosed on February 8, 2026.

The core of the issue lies in Roundcube’s HTML sanitizer, rcube_washtml, which is responsible for cleaning incoming email content to prevent Cross-Site Scripting (XSS) and privacy leaks.

When a user sets allow_remote to false, the sanitizer intercepts HTML attributes known to load external resources. Specifically, the function is_image_attribute() checks tags like <img>, <video>, and <use> for attributes that might trigger a network request (such as src or href). If matched, the URL is sanitized to ensure it is not external.

However, standard links (like <a href>) are processed differently. They pass through a function called wash_link(), which permits HTTP and HTTPS URLs so that users can click on legitimate hyperlinks.

The vulnerability arose because the sanitizer failed to classify the SVG element <feImage> as an image container.

The Exploit Mechanism

<feImage> is an SVG filter primitive that fetches image data from an external source using the href attribute. Because rcube_washtml did not include feimage in its blocklist for is_image_attribute(), the sanitizer treated the href essentially as a standard clickable link, reads NULL CATHEDRAL report.

Consequently, the malicious URL was routed to wash_link(), which allowed the external connection.

An attacker could exploit this by embedding an invisible 1×1 SVG in an email. Inside the SVG, a filter definition using <feImage> would automatically trigger a GET request to an attacker-controlled server as soon as the email was rendered.

This bypass defeats the privacy protections users rely on to prevent tracking pixels. By exploiting this flaw, threat actors could:

• Confirm an email address is active.
• Log the recipient’s IP address.
• Fingerprint the victim’s browser and device.

The fix, implemented in commit 26d7677, updates the regex logic within is_image_attribute(). The sanitizer now explicitly recognizes feimage alongside image and use when inspecting href attributes. This ensures that any attempt to load external resources via SVG filters is caught and blocked by the strict image sanitization rules.

Administrators running self-hosted instances of Roundcube are urged to upgrade to version 1.5.13 or 1.6.13 immediately to protect user privacy.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.