Roundcube: Roundcube Webmail Vulnerability Let Attackers Track Email Opens

Roundcube Patches Critical Privacy Bypass Vulnerability in Webmail Software

Roundcube, a widely used open-source webmail platform, has released urgent security updates to fix a privacy bypass flaw that allowed attackers to track email opens despite user settings blocking remote images. The vulnerability, disclosed by security researchers at NULL CATHEDRAL on February 8, 2026, affects all versions prior to 1.5.13 and 1.6.x versions before 1.6.13.

The issue stemmed from a flaw in Roundcube’s HTML sanitizer, rcube_washtml, which failed to recognize the SVG element <feImage> as an image container. While the sanitizer blocked standard image tags (e.g., <img>), it treated <feImage> an SVG filter primitive that fetches external resources via the href attribute as a regular hyperlink. This allowed attackers to embed invisible 1×1 SVGs in emails, triggering automatic GET requests to attacker-controlled servers when the email was rendered.

Exploiting this flaw enabled threat actors to:

Confirm active email addresses.
Log recipients’ IP addresses.
Fingerprint browsers and devices.

The patch, implemented in commit 26d7677, updates the sanitizer’s regex logic to explicitly block <feImage> alongside other image-related tags. Administrators of self-hosted Roundcube instances are advised to upgrade to 1.5.13 or 1.6.13 to mitigate the risk.

Source: https://cybersecuritynews.com/roundcube-webmail-vulnerability/

RoundCube DOO cybersecurity rating report: https://www.rankiteo.com/company/roundcubedoo

"id": "ROU1770638099",
"linkid": "roundcubedoo",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'customers_affected': 'Users of Roundcube webmail '
                                              '(self-hosted instances)',
                        'industry': 'Technology (Webmail/Email Services)',
                        'name': 'Roundcube',
                        'type': 'Software Provider'}],
 'attack_vector': 'Email (Malicious SVG Embedding)',
 'data_breach': {'data_exfiltration': 'GET requests to attacker-controlled '
                                      'servers',
                 'personally_identifiable_information': 'No (unless combined '
                                                        'with other attacks)',
                 'sensitivity_of_data': 'Low to Medium (Non-PII but '
                                        'privacy-invasive)',
                 'type_of_data_compromised': 'Email open tracking data, IP '
                                             'addresses, device/browser '
                                             'fingerprints'},
 'date_detected': '2026-02-08',
 'date_publicly_disclosed': '2026-02-08',
 'description': 'Roundcube released urgent security updates to fix a privacy '
                'bypass flaw that allowed attackers to track email opens '
                'despite user settings blocking remote images. The '
                'vulnerability stemmed from a flaw in Roundcube’s HTML '
                'sanitizer, rcube_washtml, which failed to recognize the SVG '
                'element  as an image container. This allowed '
                'attackers to embed invisible 1×1 SVGs in emails, triggering '
                'automatic GET requests to attacker-controlled servers when '
                'the email was rendered.',
 'impact': {'data_compromised': 'Email open tracking, IP addresses, '
                                'browser/device fingerprints',
            'systems_affected': 'Roundcube webmail software (versions prior to '
                                '1.5.13 and 1.6.x before 1.6.13)'},
 'investigation_status': 'Resolved (Patch Released)',
 'lessons_learned': 'Need for stricter HTML sanitization in email clients, '
                    'especially for SVG elements that can bypass '
                    'image-blocking policies.',
 'motivation': 'Reconnaissance, Email Tracking, IP Logging, Device '
               'Fingerprinting',
 'post_incident_analysis': {'corrective_actions': 'Updated sanitizer regex to '
                                                  'explicitly block  '
                                                  'and similar SVG elements.',
                            'root_causes': 'Inadequate HTML sanitization in '
                                           'rcube_washtml, specifically '
                                           'failing to block  SVG '
                                           'elements.'},
 'recommendations': 'Administrators should immediately upgrade to Roundcube '
                    '1.5.13 or 1.6.13. Users should avoid opening emails from '
                    'untrusted sources until patched.',
 'references': [{'source': 'NULL CATHEDRAL (Security Researchers)'}],
 'response': {'communication_strategy': 'Public disclosure and advisory to '
                                        'administrators',
              'containment_measures': 'Security patch released (commit '
                                      '26d7677)',
              'remediation_measures': 'Upgrade to Roundcube 1.5.13 or 1.6.13'},
 'stakeholder_advisories': 'Advisory to self-hosted Roundcube administrators '
                           'to apply the patch.',
 'title': 'Roundcube Patches Critical Privacy Bypass Vulnerability in Webmail '
          'Software',
 'type': 'Privacy Bypass',
 'vulnerability_exploited': 'Flaw in HTML sanitizer (rcube_washtml) failing to '
                            'block  SVG element'}

Roundcube: Roundcube Webmail Vulnerability Let Attackers Track Email Opens

Tangoe US Inc.: Tangoe Data Breach Class Action Settlement

Ronald Reagan Washington National Airport: What to do after a data breach, according to identity theft experts

DigitalMint and Sygnia Cybersecurity: Chicago cybersecurity firm employee brokered $75M in ransom after orchestrating hacks, feds say