Cyber Resilience

CVE-2026-3889

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0020 10.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3889 is a medium-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Mozilla Thunderbird. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Attachment (T1566.001); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-3889 is a spoofing vulnerability (CWE-451) affecting Mozilla Thunderbird email client. It enables user interface misrepresentation, allowing attackers to spoof critical information displayed to users. The issue was addressed in Thunderbird version 149 and Thunderbird Extended Support Release (ESR) 140.9, as detailed in Mozilla's security advisories.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link or opening a crafted email. Successful exploitation results in high integrity impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, score 6.5), potentially tricking users into performing unintended actions, such as divulging sensitive information or executing malicious content, without compromising confidentiality or availability.

Mozilla's security advisories (MFSA 2026-23 and MFSA 2026-24) and the associated Bugzilla entry (bug 2020723) confirm the fix in the specified Thunderbird versions, recommending users update immediately to mitigate the risk. No workarounds are mentioned beyond applying the patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

UI spoofing in Thunderbird directly facilitates convincing spearphishing emails/attachments and subsequent user execution of malicious links or files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-5986Same product: Mozilla Thunderbird
CVE-2025-3523Same product: Mozilla Thunderbird
CVE-2025-8043Same product: Mozilla Thunderbird
CVE-2025-1015Same product: Mozilla Thunderbird
CVE-2025-4086Same product: Mozilla Thunderbird
CVE-2021-29950Same product: Mozilla Thunderbird
CVE-2025-3932Same product: Mozilla Thunderbird
CVE-2025-3522Same product: Mozilla Thunderbird
CVE-2022-29913Same product: Mozilla Thunderbird
CVE-2023-0430Same product: Mozilla Thunderbird

Affected Assets

mozilla
thunderbird
≤ 140.9.0 · ≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches that resolve the Thunderbird UI spoofing flaw in versions 149 and 140.9.

detect

Requires integrity verification of Thunderbird software and rendered email content to detect unauthorized UI modifications or tampering.

preventdetect

Provides malicious-code inspection and filtering for email messages that could be used to trigger the spoofing vector.

References