CVE-2026-48843 Roundcube CVE debrief

Who should care

Organizations operating Roundcube Webmail instances; security teams responsible for email gateway and webmail security; incident responders tracking SSRF exploitation patterns; system administrators managing on-premise or hosted email services

Technical summary

The vulnerability exists in Roundcube's HTML email rendering pipeline where Cascading Style Sheets are not sufficiently sanitized. Malicious emails containing stylesheet links pointing to internal network resources can cause the webmail server to fetch those resources, resulting in SSRF or information disclosure. The attack requires no authentication or user interaction, making it suitable for automated exploitation. The incomplete nature of the prior CVE-2026-35540 fix suggests the original patch addressed a specific attack vector but failed to comprehensively validate or restrict CSS link destinations.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Roundcube Webmail to version 1.6.16 (for 1.6.x branch) or 1.7.1 (for 1.7.x branch) immediately
• Review email filtering policies to restrict or sanitize external stylesheet references in HTML messages
• Monitor webmail server logs for anomalous outbound requests triggered by email rendering processes
• Assess network segmentation to limit exposure of internal services from webmail server hosts
• Verify that prior patches for CVE-2026-35540 have been superseded by the updated fixes in 1.6.16/1.7.1

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. Vendor security advisory dated 2026-05-24 precedes CVE publication. GitHub commits ab96c88bfd888866ec5e02190b19618db283923a and cb3fc9041e91640ba9ba49ee7b2147c176ebf5a1 identified as remediation commits. Releases 1.6.16 and 1.7.1 contain fixes. CWE-918 (Server-Side Request Forgery) classified as primary weakness.

Official resources