Skip to main content

FreeScout EUVDEUVD-2026-24171

| CVE-2026-40569 CRITICAL
Improper Access Control (CWE-284)
2026-04-21 security-advisories@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 18:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:35 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24171
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (connectionIncomingSave() at app/Http/Controllers/MailboxesController.php:468 and connectionOutgoingSave() at line 398). Both methods pass $request->all() directly to $mailbox->fill() without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's $fillable array -- including security-critical fields that do not belong to the connection settings form, such as auto_bcc, out_server, out_password, signature, auto_reply_enabled, and auto_reply_message. Validation in connectionIncomingSave() is entirely commented out, and the validator in connectionOutgoingSave() only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., auto_bcc=attacker@evil.com) to a legitimate connection settings save request. Because the auto_bcc field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the SendReplyToCustomer job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.

AnalysisAI

Mass assignment vulnerability in FreeScout versions before 1.8.213 allows authenticated administrators to covertly exfiltrate all outgoing emails and inject malicious content into email communications. By exploiting unfiltered parameter binding in mailbox connection settings endpoints, an attacker with admin credentials can silently set auto_bcc to forward copies of every outgoing email, redirect SMTP traffic through attacker-controlled servers, inject tracking pixels or phishing links into signatures, and enable malicious auto-replies-all invisible to other administrators. The CVSS score of 9.0 reflects high confidentiality and integrity impact with changed scope, though exploitation requires high-privilege (admin) access. No public exploit code or CISA KEV listing identified, but the vulnerability is particularly dangerous in multi-admin deployments and when combined with session compromise vectors like XSS (noted in tags), as it provides persistent email surveillance beyond initial access.

Technical ContextAI

This is a classic mass assignment vulnerability (CWE-284: Improper Access Control) in a Laravel-based PHP application. The affected code in MailboxesController.php uses Laravel's model mass assignment feature incorrectly by passing the entire HTTP request payload ($request->all()) directly to the Mailbox model's fill() method without allowlisting specific fields. Laravel's Eloquent ORM allows mass assignment to any field listed in a model's $fillable array-in this case, 32 different mailbox configuration fields. The vulnerability exists because the connection settings endpoints (connectionIncomingSave() and connectionOutgoingSave()) expose fillable fields that should only be modifiable through other, more restricted endpoints. The incoming connection method has validation entirely commented out, while the outgoing method only validates SMTP-specific field formats without filtering which parameters are accepted. This allows attackers to inject assignments to security-sensitive fields like auto_bcc (blind carbon copy recipients), out_server (SMTP relay server), out_password (SMTP credentials), signature (HTML email signatures), and auto_reply_message that are not part of the connection settings UI but share the same underlying model.

RemediationAI

Upgrade immediately to FreeScout version 1.8.213 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The patch implements proper input filtering in both connectionIncomingSave() and connectionOutgoingSave() methods to allowlist only connection-specific parameters, preventing injection of security-sensitive fields like auto_bcc, out_server, signature, and auto_reply settings. After upgrading, audit all existing mailbox configurations for unauthorized modifications: review auto_bcc recipients in mailbox settings, verify out_server SMTP configurations match expected values, inspect email signatures for injected content, and check auto_reply settings for unexpected messages. If immediate patching is not possible, implement application-layer Web Application Firewall rules to block POST requests to /mailbox/connection/* endpoints containing parameters outside the expected set (in_server, in_port, in_username, in_password, out_server, out_port, out_username, out_password, out_encryption)-though this is complex to maintain and may break legitimate functionality. Review admin account access logs for suspicious connection setting changes and consider temporarily restricting mailbox configuration privileges to a single trusted administrator until patching is complete. Note that manual database inspection may be required to detect historical exploitation as the injected values appear as legitimate configuration in the mailboxes table.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-24171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy