CVE-2026-47123— FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path
Possible ATT&CK Techniques 1AI
T1566.002 · Spearphishing LinkAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| freescout-help-desk | freescout | < 1.8.220 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47123
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用欺骗进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeScout 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeScout是FreeScout公司的一个使用 PHP(Laravel 框架)构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.220之前版本存在数据伪造问题漏洞,该漏洞源于邮件处理管道中基于In-Reply-To/References标头识别代理回复时,通知回复路径从Message-ID中提取thread_id和user_id而未进行HMAC验证,可能导致外部攻击者伪造帮助台代理的From地址注入被处理为合法代理回复的消息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| freescout-help-desk | freescout | < 1.8.220 | - |
II. Public POCs for CVE-2026-47123
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8629 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-47123
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-47123 (1)
Vendor Advisories for CVE-2026-47123 (1)
Same Patch Batch · freescout-help-desk · 2026-05-29 · 4 CVEs total
| CVE-2026-45294 | 5.3 MEDIUM | FreeScout: User Account Enumeration via Password Reset Response Differentiation |
| CVE-2026-48811 | 4.3 MEDIUM | FreeScout: Thread Deletion Bypasses Mailbox Access Revocation |
| CVE-2026-48810 | 4.3 MEDIUM | FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check |
IV. Related Vulnerabilities
Same product: freescout
- CVE-2026-45294
FreeScout: User Account Enumeration via Password Reset Respo - CVE-2026-48810
FreeScout: Thread Edit Authorization Bypass via Missing Mail - CVE-2026-48811
FreeScout: Thread Deletion Bypasses Mailbox Access Revocatio - CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl:
Same vendor: freescout-help-desk
- CVE-2026-45294
FreeScout: User Account Enumeration via Password Reset Respo - CVE-2026-48810
FreeScout: Thread Edit Authorization Bypass via Missing Mail - CVE-2026-48811
FreeScout: Thread Deletion Bypasses Mailbox Access Revocatio - CVE-2026-41906
FreeScout: Conversation Change-Customer Cross-Mailbox Author - CVE-2026-41905
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl:
Same weakness: CWE-290
- CVE-2026-42662
WordPress Event Tickets plugin <= 5.27.5 - Bypass Vulnerabil - CVE-2026-27089
WordPress WpTravelly plugin <= 2.1.7 - Bypass Vulnerability - CVE-2026-49757
OAuth2/OIDC account takeover in AshAuthentication via email- - CVE-2026-34025
IP restriction bypass in Wertheim SafeController Software al - CVE-2026-53833
QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQ
V. Comments for CVE-2026-47123
No comments yet