Executive Summary

CVE-2026-40569 is a critical mass assignment vulnerability in FreeScout versions prior to 1.8.213 affecting the mailbox connection settings endpoints. The vulnerability arises because the methods handling incoming and outgoing mailbox connection settings (`connectionIncomingSave()` and `connectionOutgoingSave()`) pass all HTTP request parameters directly to the mailbox model's `fill()` method without filtering or allowlisting fields.

This allows an authenticated admin user to overwrite any of the 32 writable fields in the mailbox model, including sensitive security-related fields that are not normally exposed on the connection settings forms, such as `auto_bcc`, `out_server`, `out_password`, `signature`, and `auto_reply_enabled`.

Because validation is missing or insufficient, an attacker can inject hidden parameters (e.g., `[email protected]`) into legitimate requests, enabling silent and persistent manipulation of mailbox behavior. For example, the `auto_bcc` field causes every outgoing email to be silently BCC'd to the attacker without any UI indication or logging.

Other attack possibilities include redirecting outgoing SMTP traffic through attacker-controlled servers, injecting phishing links or tracking pixels into email signatures, and enabling malicious auto-replies. This vulnerability is especially dangerous in multi-admin environments or if an admin session is compromised.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete compromise of mailbox confidentiality and integrity. An attacker with admin access can silently exfiltrate all outgoing emails by injecting an `auto_bcc` address, allowing them to receive copies of all communications without detection.

Additionally, the attacker can redirect outgoing emails through malicious SMTP servers, enabling interception, modification, or phishing attacks. They can also inject malicious content such as tracking pixels or phishing links into email signatures or enable automated phishing auto-replies.

Because the injected changes are invisible on the connection settings form, other administrators are unlikely to detect the compromise. The attacker gains persistent control that survives session expiry, leading to long-term undetected data leakage and potential large-scale compromise of email communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the mailbox connection settings endpoints in FreeScout, specifically the POST requests to the endpoints handled by the methods `connectionIncomingSave()` and `connectionOutgoingSave()` in `app/Http/Controllers/MailboxesController.php`.

Look for requests that include unexpected or hidden parameters such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, or `auto_reply_message` which are not normally present in the connection settings forms.

Detection can be done by intercepting and inspecting HTTP traffic using tools like Burp Suite or by analyzing web server logs for suspicious POST parameters.

Example commands to detect suspicious requests include:

• Using curl to test if unauthorized fields can be set (replace URL and authentication accordingly): curl -X POST -d "[email protected]&out_server=malicious.server" -u admin:password https://your-freescout-instance/api/mailbox/connectionOutgoingSave
• Using grep on web server logs to find suspicious parameters: grep -E 'auto_bcc|out_password|auto_reply_enabled' /var/log/nginx/access.log
• Using Burp Suite or similar HTTP proxy to intercept and inspect POST requests to mailbox connection settings endpoints for unexpected parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to upgrade FreeScout to version 1.8.213 or later, where the issue has been fixed.

The fix involves restricting which fields can be populated on the mailbox fetching and sending settings pages by filtering input parameters to only allow a predefined set of safe keys.

• Upgrade FreeScout to version 1.8.213 or newer.
• Ensure that the `connectionIncomingSave()` and `connectionOutgoingSave()` methods only accept and save allowed fields, preventing mass assignment of unauthorized fields.
• Restore and enable proper validation on incoming parameters for mailbox connection settings.
• Monitor admin activity and audit mailbox settings for suspicious changes, especially to hidden fields like `auto_bcc`.

If immediate upgrade is not possible, restrict admin access and monitor for suspicious POST requests to mailbox connection endpoints to reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated admin to silently and persistently exfiltrate all outgoing emails by injecting unauthorized mailbox settings such as auto_bcc, which sends copies of emails to an attacker-controlled address without detection.

This undetectable exfiltration of potentially sensitive customer and communication data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and health information confidentiality and integrity.

By enabling attackers to redirect emails through malicious servers, inject phishing content, or disable encryption, the vulnerability compromises the confidentiality, integrity, and availability of email communications, further risking non-compliance with these standards.

In multi-admin environments or when admin sessions are compromised, this vulnerability can lead to large-scale, persistent breaches of sensitive data, undermining regulatory compliance obligations related to access control, data security, and breach notification.

Useful 0 Not Useful 0