CVE-2026-40566
Received Received - Intake
SSRF in FreeScout MailboxesController Enables Internal Port Scanning

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40566
EUVD
EUVD-2026-24167
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.213 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-40566 allows authenticated administrators to perform Server-Side Request Forgery (SSRF) attacks that enable internal network reconnaissance, service fingerprinting, and partial leakage of sensitive cloud metadata, including potential IAM credentials.

Such unauthorized internal network access and potential leakage of sensitive information could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data and mandate protection against unauthorized access or disclosure.

The vulnerability increases the risk of exposing internal infrastructure details and sensitive metadata, which could be leveraged to compromise confidentiality and integrity of protected data, thereby impacting compliance with these standards.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an authenticated admin or an attacker with admin privileges to perform internal network reconnaissance and port scanning from the FreeScout server.

It enables service fingerprinting by capturing banners or error messages from internal services such as SSH, Redis, MySQL, PostgreSQL, and Elasticsearch.

In cloud environments, it can be used to probe the cloud metadata endpoint, potentially leaking sensitive metadata and IAM credentials.

Additionally, the vulnerability can cause connection exhaustion by holding connections open for up to 60 seconds, potentially affecting server availability.

Exploitation requires authenticated admin privileges, so the risk is higher in compromised-admin or insider threat scenarios.


Can you explain this vulnerability to me?

CVE-2026-40566 is a Server-Side Request Forgery (SSRF) vulnerability in FreeScout versions prior to 1.8.213, specifically in the IMAP/SMTP connection test functionality within the MailboxesController.

The vulnerability occurs because three AJAX actions (fetch_test, send_test, and imap_folders) use admin-configured server and port values directly in network connection functions without any SSRF protections such as IP validation, hostname restrictions, or internal network blocklists.

An authenticated admin can configure mailbox IMAP or SMTP servers to point to any internal host and port, then trigger connection tests. This causes the server to open raw TCP connections and protocol-level connections to attacker-specified targets, enabling internal network port scanning and service fingerprinting.

In cloud environments, the vulnerability allows probing of the metadata endpoint (169.254.169.254), potentially leaking partial response data through protocol error messages.

The vulnerability is patched in FreeScout version 1.8.213 by adding strict validation of mail server host inputs.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual or unauthorized connection attempts initiated by the FreeScout server to internal or cloud metadata IP addresses, especially during mailbox connection tests.

Since the vulnerability involves the FreeScout server opening raw TCP connections and IMAP/SMTP protocol connections to attacker-specified hosts and ports, detection can focus on identifying these connection attempts.

  • Monitor network traffic for outgoing connections from the FreeScout server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata IP (169.254.169.254).
  • Check FreeScout IMAP debug logs and AJAX response logs for unexpected service banners or error messages indicating connections to non-IMAP/SMTP services.
  • Use network monitoring tools or commands such as:
  • 1. `netstat -anp | grep fsockopen` or equivalent to identify open TCP connections initiated by the FreeScout process.
  • 2. `tcpdump -i <interface> host <freescout_server_ip> and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16 or dst host 169.254.169.254)` to capture suspicious outgoing packets.
  • 3. Review FreeScout application logs for AJAX actions `fetch_test`, `send_test`, and `imap_folders` that include connection test results.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where the vulnerability has been patched by implementing strict validation of mail server host inputs.

If upgrading immediately is not possible, restrict administrative access to the FreeScout application to trusted users only, as exploitation requires authenticated admin privileges.

Additionally, consider network-level controls such as firewall rules to block FreeScout server from making outbound connections to internal IP ranges and cloud metadata IP addresses.

Review and validate all configured mailbox IMAP and SMTP server settings to ensure they do not point to internal or unauthorized hosts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart