Skip to main content

Inbox Zero CVE-2026-42865

| EUVD-2026-29169 LOW
Information Exposure (CWE-200)
2026-05-11 GitHub_M
Information Disclosure Redis
2.3
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 11, 2026 - 19:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 18:48 vuln.today
Analysis Generated
May 11, 2026 - 18:48 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
2.3 (LOW)
CVE Published
May 11, 2026 - 17:53 nvd
LOW 2.3

DescriptionNVD

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.

AnalysisAI

Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42865 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy