{"api_version":"1","generated_at":"2026-04-24T00:32:39+00:00","cve":"CVE-2025-26696","urls":{"html":"https://cve.report/CVE-2025-26696","api":"https://cve.report/api/cve/CVE-2025-26696.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-26696","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-26696"},"summary":{"title":"Crafted email message incorrectly shown as being encrypted","description":"Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.","state":"PUBLISHED","assigner":"mozilla","published_at":"2025-03-10 19:15:40","updated_at":"2026-04-13 15:16:54"},"problem_types":["CWE-290","CWE-290 CWE-290 Authentication Bypass by Spoofing"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","baseScore":7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"}}],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2025-17/","name":"https://www.mozilla.org/security/advisories/mfsa2025-17/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864205","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864205","refsource":"security@mozilla.org","tags":["Issue Tracking"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-18/","name":"https://www.mozilla.org/security/advisories/mfsa2025-18/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-26696","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26696","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mozilla","product":"Thunderbird","version":"unaffected 128.8 128.* rpm","platforms":[]},{"source":"CNA","vendor":"Mozilla","product":"Thunderbird","version":"unaffected 136 * rpm","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Marcus Brinkmann","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"26696","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-26696","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-03-11T19:15:27.829296Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-290","description":"CWE-290 Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-03-11T19:17:04.139Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Thunderbird","vendor":"Mozilla","versions":[{"lessThanOrEqual":"128.*","status":"unaffected","version":"128.8","versionType":"rpm"},{"lessThanOrEqual":"*","status":"unaffected","version":"136","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"Marcus Brinkmann"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8."}],"value":"Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8."}],"providerMetadata":{"dateUpdated":"2026-04-13T14:27:27.799Z","orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla"},"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1864205"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-17/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-18/"}],"title":"Crafted email message incorrectly shown as being encrypted"}},"cveMetadata":{"assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","assignerShortName":"mozilla","cveId":"CVE-2025-26696","datePublished":"2025-03-10T18:41:25.205Z","dateReserved":"2025-02-13T22:03:43.233Z","dateUpdated":"2026-04-13T14:27:27.799Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-10 19:15:40","lastModifiedDate":"2026-04-13 15:16:54","problem_types":["CWE-290","CWE-290 CWE-290 Authentication Bypass by Spoofing"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L","baseScore":7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":4.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"128.8.0","matchCriteriaId":"D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71"},{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionStartIncluding":"129.0","versionEndExcluding":"136.0","matchCriteriaId":"93C81C9D-FC2E-4D7D-A97F-8DB97ED92192"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"26696","Ordinal":"1","Title":"Crafted email message incorrectly shown as being encrypted","CVE":"CVE-2025-26696","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"26696","Ordinal":"1","NoteData":"Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.","Type":"Description","Title":"Crafted email message incorrectly shown as being encrypted"}]}}}