CVE-2026-40569— FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40569
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeScout 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeScout是FreeScout公司的一个使用 PHP(Laravel 框架)构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.213之前版本存在安全漏洞,该漏洞源于邮箱连接设置端点中的connectionIncomingSave和connectionOutgoingSave方法将$request->all直接传递给$mailbox->fill,可能导致经过身份验证的管理员用户覆盖Mailbox模型中的任何可填充字段,包括安全关键字段,从而静默密送邮件或重定向SMT
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| freescout-help-desk | freescout | < 1.8.213 | - |
II. Public POCs for CVE-2026-40569
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40569
Please Login to view more intelligence information
- Release 1.8.213 · freescout-help-desk/freescout · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-40569
Same Patch Batch · freescout-help-desk · 2026-04-21 · 20 CVEs total
| CVE-2026-41193 | 9.1 CRITICAL | FreeScout has Zip Slip path traversal in module installation that allows arbitrary file wr |
| CVE-2026-40568 | 8.5 HIGH | FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization |
| CVE-2026-40497 | 8.1 HIGH | FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Toke |
| CVE-2026-40589 | 7.6 HIGH | FreeScout has Customer Edit Cross-Mailbox Email Takeover |
| CVE-2026-41190 | 7.1 HIGH | FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversati |
| CVE-2026-41189 | 7.1 HIGH | FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored |
| CVE-2026-41191 | 7.1 HIGH | FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting cha |
| CVE-2026-40591 | 7.1 HIGH | FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hid |
| CVE-2026-41192 | 7.1 HIGH | FreeScout's client-controlled attachment IDs allow deletion of existing conversation attac |
| CVE-2026-40565 | 6.1 MEDIUM | FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href |
| CVE-2026-40592 | 5.9 MEDIUM | FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound |
| CVE-2026-40567 | 5.8 MEDIUM | FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature |
| CVE-2026-41194 | 5.4 MEDIUM | FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable |
| CVE-2026-41183 | 4.3 MEDIUM | FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversa |
| CVE-2026-40590 | 4.3 MEDIUM | FreeScout's Customer AJAX Create Modifies Hidden Existing Customer |
| CVE-2026-40566 | 4.1 MEDIUM | FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints |
| CVE-2026-40498 | FreeScout has Authentication Bypass and Information Disclosure in SystemController via /sy | |
| CVE-2026-40570 | FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to A | |
| CVE-2026-40496 | FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Downlo |
IV. Related Vulnerabilities
Same product: freescout
- CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: - CVE-2026-41904
FreeScout Stored XSS vulnerability in mailbox auto-reply: pa - CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
Same vendor: freescout-help-desk
- CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: - CVE-2026-41904
FreeScout Stored XSS vulnerability in mailbox auto-reply: pa - CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
Same weakness: CWE-284
- CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets - CVE-2026-41646
Nuclei: Local File Read via require() Module Loader Bypass - CVE-2026-8127
eladmin Users API Endpoint UserController.java checkLevel ac
V. Comments for CVE-2026-40569
No comments yet