Description
Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.
Published: 2026-05-11
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the cleaner email stream endpoint that relied on a shared Redis subscription listener. When two authenticated users invoked the cleaner simultaneously, thread events from one account could be delivered to the other account’s subscriber. This flaw enabled the unintended disclosure of email thread data from a user to another user, compromising the confidentiality of the information. The weakness is classified as CWE‑200, an information exposure flaw.

Affected Systems

The affected product is Inbox Zero by elie222. Versions prior to 2.29.3 are vulnerable; all later releases contain the fix.

Risk and Exploitability

With a CVSS score of 2.3 the CVSS framework rates this issue as low severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated to two separate accounts and to invoke the cleaner feature on both simultaneously, making the attack scenario limited to users with access to both accounts. The flaw does not provide remote code execution or denial of service; it merely exposes thread events from one user to another.

Generated by OpenCVE AI on May 11, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Inbox Zero to version 2.29.3 or later.
  • Disable the cleaner email stream feature in older releases until the upgrade can be applied.
  • If an immediate upgrade is not possible, segregate Redis subscriptions so that each account utilizes a separate listener to prevent cross–account event delivery.

Generated by OpenCVE AI on May 11, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elie222
Elie222 inbox-zero
Vendors & Products Elie222
Elie222 inbox-zero

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.
Title Inbox Zero: Cross-account cleaner email stream exposure
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Elie222 Inbox-zero
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:25:16.428Z

Reserved: 2026-04-30T16:44:48.380Z

Link: CVE-2026-42865

cve-icon Vulnrichment

Updated: 2026-05-11T19:25:11.808Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:36.683

Modified: 2026-05-11T18:16:36.683

Link: CVE-2026-42865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:43Z

Weaknesses