Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies - which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.
AnalysisAI
Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.
Technical ContextAI
FreeScout is a PHP/Laravel-based open-source help desk and shared inbox. The vulnerability resides in app/Console/Commands/FetchEmails.php, which inspects incoming In-Reply-To / References headers to correlate replies with existing conversations. Notification Message-IDs follow the format notify-{thread_id}-{user_id}-{timestamp}@domain, and prior to the fix the timestamp segment was not cryptographically bound to the thread, allowing the parser to trust attacker-controlled values. The class CWE-290 (Authentication Bypass by Spoofing) captures the root cause: identity was inferred from an unauthenticated, attacker-influenceable identifier (the email envelope plus a guessable Message-ID) rather than verified via the HMAC the patch introduces through MailHelper::getMessageIdHash().
RemediationAI
Vendor-released patch: upgrade to FreeScout 1.8.220 or later, which adds an HMAC hash segment to outbound notification Message-IDs (SendNotificationToUsers.php) and validates that hash on inbound replies in FetchEmails.php (commit d902f19038213c6a376947d269b00440908e88a0). The fix is intentionally non-backward-compatible: legacy 3-segment Message-IDs are rejected, so in-flight customer replies relying on the old format will be dropped - operators should patch during a low-volume window and monitor logs for 'Invalid hash in the Message-ID' errors. If immediate upgrade is not possible, compensating controls include enforcing SPF/DKIM/DMARC alignment on the inbound mailbox so spoofed From addresses are rejected before FetchEmails processes them, and restricting the mailbox to only accept mail from authenticated relays or trusted upstream MX servers; the trade-off is that strict DMARC may also reject legitimate forwarded mail and mailing-list traffic. Refer to the advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6r38-6mcf-2ww3 for full details.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33440