CVE-2026-0818 – This vulnerability in Thunderbird allows attack... (How to Fix)

Q: How do I fix CVE-2026-0818?

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update or download from mozilla.org. 4. Restart Thunderbird after update.

Q: What is the severity of CVE-2026-0818?

CVE-2026-0818 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Thunderbird allows attackers to exfiltrate decrypted OpenPGP email contents through CSS injection when users load remote content. It affects Thunderbird users who decrypt inline OpenPGP messages in HTML-formatted emails with remote content enabled. The risk is limited to users who have both decrypted sensitive content and allowed remote content loading.

📋 TL;DR

This vulnerability in Thunderbird allows attackers to exfiltrate decrypted OpenPGP email contents through CSS injection when users load remote content. It affects Thunderbird users who decrypt inline OpenPGP messages in HTML-formatted emails with remote content enabled. The risk is limited to users who have both decrypted sensitive content and allowed remote content loading.

💻 Affected Systems

Products:

Mozilla Thunderbird

Versions: Thunderbird < 147.0.1 and Thunderbird < 140.7.1

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when users have enabled 'Allow remote content in messages' AND decrypt inline OpenPGP messages in HTML emails.

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers successfully extract sensitive decrypted email contents including passwords, financial information, or confidential communications.

🟠

Likely Case

Targeted attacks against specific users with valuable encrypted communications, requiring both user interaction and specific configuration settings.

🟢

If Mitigated

No impact if users have disabled remote content loading or avoid decrypting sensitive messages in HTML emails.

🌐 Internet-Facing: MEDIUM - Requires user to receive and interact with crafted email, but exploitation can occur from any sender.

🏢 Internal Only: MEDIUM - Same technical risk internally, but potentially higher trust in internal senders making users more likely to load content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to receive crafted email, load remote content, and decrypt inline OpenPGP message. Attackers need control over CSS and fonts referenced in email.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 147.0.1 or Thunderbird 140.7.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-07/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update or download from mozilla.org. 4. Restart Thunderbird after update.

🔧 Temporary Workarounds

Disable Remote Content

all

Prevent loading of remote CSS, fonts, and images that enable the attack

In Thunderbird: Tools > Settings > Privacy & Security > untick 'Allow remote content in messages'

Use PGP/MIME Instead

all

Avoid inline OpenPGP decryption in HTML emails

Configure OpenPGP to use PGP/MIME attachments instead of inline decryption

🧯 If You Can't Patch

Disable 'Allow remote content in messages' in Thunderbird settings
Train users to avoid decrypting sensitive OpenPGP messages in HTML-formatted emails

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird. If version is below 147.0.1 (for latest) or 140.7.1 (for ESR), you are vulnerable.

Check Version:

thunderbird --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is 147.0.1 or higher (or 140.7.1 or higher for ESR) in Help > About Thunderbird.

📡 Detection & Monitoring

Log Indicators:

Unusual CSS or font loading from remote sources in email clients
Multiple failed decryption attempts on crafted emails

Network Indicators:

Outbound requests to attacker-controlled domains when viewing emails with CSS/font references

SIEM Query:

source="thunderbird.log" AND ("remote content" OR "css load" OR "font load") AND dest_ip NOT IN [trusted_domains]

📊 Metadata

CVE ID: CVE-2026-0818

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-116

EPSS Score: 0.02% exploit probability (3.4th percentile)

Published: January 28, 2026

Last Updated: February 4, 2026

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1881530 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2026-07/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-08/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2026/02/msg00005.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0818, you might also want to check these: