Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
Published: 2026-04-21
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery exposing internal hosts and port scanning capability
Action: Immediate Patch
AI Analysis

Impact

FreeScout’s MailboxesController allows an authenticated administrator to execute a Server‑Side Request Forgery by specifying arbitrary internal IMAP or SMTP server addresses for connection testing. The back‑end code directly passes the admin‑configured server hostname and port to low‑level socket or protocol clients without any IP validation, hostname restriction or blocklist. This results in the FreeScout service opening raw TCP connections and protocol‑level client connections to an attacker‑chosen target, revealing whether the port is open, and when connecting to non‑IMAP/SMTP services, returning the target’s service banner or error message in the AJAX response’s log field. In cloud deployments, this also permits probing the instance metadata endpoint, potentially leaking partial response data through protocol error messages.

Affected Systems

Versions of the freescout-help-desk freescout product older than 1.8.213 are affected. Any instance of the application using these versions with an administrative account capable of configuring mailboxes is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.1, indicating moderate severity; the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Nevertheless, the flaw requires authenticated administrative access, but it permits the attacker to probe internal network services, gain service fingerprints, and in some cases retrieve sensitive metadata. The attack path is straightforward: an admin configures mailbox settings to point to a chosen internal host and port, then triggers a connection test. The lack of outbound connection restrictions and the server’s ability to open arbitrary sockets make exploitation highly feasible in environments where the application is reachable by authorised administrators.

Generated by OpenCVE AI on April 21, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.213 or later to apply the vendor‑provided patch.
  • If immediate upgrade is impractical, restrict the connection test feature to a narrowly defined set of trusted IP ranges or disable it entirely for non‑essential accounts.
  • Implement network segmentation and firewall rules that block outbound connections from the FreeScout server to internal IP ranges not required for normal operation, thereby limiting the blast radius of any SSRF attempt.

Generated by OpenCVE AI on April 21, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
Title FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:33:11.528Z

Reserved: 2026-04-14T13:24:29.474Z

Link: CVE-2026-40566

cve-icon Vulnrichment

Updated: 2026-04-21T17:33:01.166Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:55.000

Modified: 2026-04-22T21:10:14.290

Link: CVE-2026-40566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses