CVE-2026-42865
Inbox Zero Redis Subscription Listener Account Takeover
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-42865 is a cross-account email stream exposure issue in the Inbox Zero AI personal assistant for email. Specifically, the cleaner email stream endpoint used a shared Redis subscription listener that could mistakenly deliver email thread events from one authenticated user's account to another authenticated user's account when both were using the cleaner feature at the same time.
This flaw was present in versions prior to 2.29.3 and was fixed in version 2.29.3. The issue was limited in scope because the cleaner feature was in early access, disabled by default in self-hosted deployments unless explicitly enabled, and required separate authenticated users who were not mutually trusted to exploit.
The vulnerability is classified as Low severity and falls under CWE-200, which involves the exposure of sensitive information to unauthorized actors.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of email thread events between different authenticated users using the cleaner feature simultaneously. This means that sensitive email information intended for one user could be inadvertently delivered to another user, potentially compromising privacy and confidentiality.
However, the impact is limited because the cleaner feature was in early access, disabled by default in self-hosted environments, and exploitation requires multiple authenticated users who are not mutually trusted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross-account email stream exposure through the cleaner email stream endpoint using a shared Redis subscription listener. Detection would involve monitoring or inspecting Redis subscription activity related to the cleaner feature in inbox-zero versions prior to 2.29.3.
Since the cleaner feature is disabled by default in self-hosted deployments unless explicitly enabled, first verify if the cleaner feature is enabled by checking the environment variable NEXT_PUBLIC_CLEANER_ENABLED.
You can check if the cleaner feature is enabled by running a command to inspect environment variables or configuration files, for example:
- On Linux systems, run: `echo $NEXT_PUBLIC_CLEANER_ENABLED`
- Check Redis subscriptions related to inbox-zero cleaner endpoints by connecting to Redis and running: `redis-cli PUBSUB CHANNELS` to see active channels.
- Monitor network traffic for simultaneous authenticated requests to cleaner endpoints such as `/api/clean/gmail`, `/api/clean/history`, and `/api/clean`.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade inbox-zero to version 2.29.3 or later, where the vulnerability is fixed.
If upgrading immediately is not possible, ensure that the cleaner feature is disabled by default in your deployment by verifying that the environment variable NEXT_PUBLIC_CLEANER_ENABLED is not set or is set to false.
Disabling the cleaner feature prevents the vulnerable shared Redis subscription listener from being active, thus mitigating the risk.
Additionally, monitor and restrict access to the cleaner API routes `/api/clean/gmail`, `/api/clean/history`, and `/api/clean` to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-42865 involves the exposure of email thread events from one authenticated user to another, which constitutes unauthorized disclosure of potentially sensitive information.
Such unauthorized data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or sensitive information.
However, the issue was limited in scope because the affected feature was in early access, disabled by default in self-hosted deployments, and required separate authenticated users who were not mutually trusted to exploit.
The vulnerability was fixed in version 2.29.3, mitigating the risk of non-compliance due to this issue.