Skip to main content

FreeScout EUVDEUVD-2026-33440

| CVE-2026-47123 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-05-29 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 29, 2026 - 21:02 EUVD
Source Code Evidence Fetched
May 29, 2026 - 20:33 vuln.today
Analysis Generated
May 29, 2026 - 20:33 vuln.today

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies - which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.

AnalysisAI

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Technical ContextAI

FreeScout is a PHP/Laravel-based open-source help desk and shared inbox. The vulnerability resides in app/Console/Commands/FetchEmails.php, which inspects incoming In-Reply-To / References headers to correlate replies with existing conversations. Notification Message-IDs follow the format notify-{thread_id}-{user_id}-{timestamp}@domain, and prior to the fix the timestamp segment was not cryptographically bound to the thread, allowing the parser to trust attacker-controlled values. The class CWE-290 (Authentication Bypass by Spoofing) captures the root cause: identity was inferred from an unauthenticated, attacker-influenceable identifier (the email envelope plus a guessable Message-ID) rather than verified via the HMAC the patch introduces through MailHelper::getMessageIdHash().

RemediationAI

Vendor-released patch: upgrade to FreeScout 1.8.220 or later, which adds an HMAC hash segment to outbound notification Message-IDs (SendNotificationToUsers.php) and validates that hash on inbound replies in FetchEmails.php (commit d902f19038213c6a376947d269b00440908e88a0). The fix is intentionally non-backward-compatible: legacy 3-segment Message-IDs are rejected, so in-flight customer replies relying on the old format will be dropped - operators should patch during a low-volume window and monitor logs for 'Invalid hash in the Message-ID' errors. If immediate upgrade is not possible, compensating controls include enforcing SPF/DKIM/DMARC alignment on the inbound mailbox so spoofed From addresses are rejected before FetchEmails processes them, and restricting the mailbox to only accept mail from authenticated relays or trusted upstream MX servers; the trade-off is that strict DMARC may also reject legitimate forwarded mail and mailing-list traffic. Refer to the advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6r38-6mcf-2ww3 for full details.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

EUVD-2026-33440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy