Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
Published: 2026-04-21
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Silent Email Exfiltration
Action: Patch ASAP
AI Analysis

Impact

FreeScout contains a mass assignment flaw in the mailbox connection settings endpoints. The controller methods receive the entire request payload and pass it to the mailbox model’s fill method without restricting fields. An authenticated administrator can inject values for security‑critical fields such as auto_bcc, out_server, out_password, signature, auto_reply_enabled, or auto_reply_message. When auto_bcc is set to an attacker’s address, every outgoing email from that mailbox silently BCCs the victim’s correspondence, and similar injections can redirect SMTP traffic, inject malicious content into signatures, or trigger auto replies. Thus the vulnerability enables covert exfiltration of email data and manipulation of outbound emails.

Affected Systems

All installations of FreeScout before version 1.8.213 are affected. The product is FreeScout, a self‑hosted help desk and shared mailbox solution. Users running any older release must upgrade to 1.8.213 or a later version to remediate the flaw.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity. Because a valid, authenticated admin session is required, the attack vector is internal and depends on privilege. The EPSS score is not available, so the current probability of exploitation cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog. An attacker with administrative access can exploit the flaw with a simple HTTP request to the connection settings endpoint, making the impact immediate once authenticated. In multi‑admin environments, the attacker can silently and persistently exfiltrate mail traffic or alter outgoing communication. The absence of obvious detection means the breach can remain hidden until an unusual BCC is discovered.

Generated by OpenCVE AI on April 21, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to FreeScout version 1.8.213 or later.
  • Limit administrative privileges and enforce least privilege to prevent unauthorized changes to mailbox settings.
  • After updating, verify and clear any suspicious configuration fields such as auto_bcc, out_server, out_password, signature, auto_reply_enabled, and auto_reply_message, and monitor outgoing emails for unexpected BCC or redirect behavior.

Generated by OpenCVE AI on April 21, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
Title FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration
Weaknesses CWE-284
CWE-915
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:45:31.659Z

Reserved: 2026-04-14T13:24:29.474Z

Link: CVE-2026-40569

cve-icon Vulnrichment

Updated: 2026-04-21T17:45:17.146Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:55.450

Modified: 2026-04-22T21:10:14.290

Link: CVE-2026-40569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses