CVE-2026-3889
Published: 24 March 2026
Summary
CVE-2026-3889 is a medium-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Mozilla Thunderbird. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Attachment (T1566.001); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UI spoofing in Thunderbird directly facilitates convincing spearphishing emails/attachments and subsequent user execution of malicious links or files.
NVD Description
Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
Deeper analysisAI
CVE-2026-3889 is a spoofing vulnerability (CWE-451) affecting Mozilla Thunderbird email client. It enables user interface misrepresentation, allowing attackers to spoof critical information displayed to users. The issue was addressed in Thunderbird version 149 and Thunderbird Extended Support Release (ESR) 140.9, as detailed in Mozilla's security advisories.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link or opening a crafted email. Successful exploitation results in high integrity impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, score 6.5), potentially tricking users into performing unintended actions, such as divulging sensitive information or executing malicious content, without compromising confidentiality or availability.
Mozilla's security advisories (MFSA 2026-23 and MFSA 2026-24) and the associated Bugzilla entry (bug 2020723) confirm the fix in the specified Thunderbird versions, recommending users update immediately to mitigate the risk. No workarounds are mentioned beyond applying the patches.
Details
- CWE(s)