CVE-2026-47123
Deferred Deferred - Pending Action
Email Spoofing in FreeScout Help Desk

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies β€” which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47123
EUVD
EUVD-2026-33440
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
freescout freescout 1.8.220
freescout freescout to 1.8.220 (inc)
freescout freescout to 1.8.220 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47123 is a vulnerability in FreeScout, a help desk software built with PHP's Laravel framework. The issue lies in the email processing pipeline, specifically in the FetchEmails command, which handles agent replies through two different code paths. One path, used for notification replies, extracts thread_id and user_id directly from the Message-ID header without verifying its authenticity using HMAC (hash-based message authentication code).

An external attacker who can spoof the From address of a helpdesk agent can craft malicious emails with a specially formatted Message-ID (e.g., notify-{thread_id}-{user_id}-...) that FreeScout mistakenly processes as legitimate agent replies. These forged replies are then automatically forwarded to customers via the legitimate SMTP server, allowing the attacker to impersonate agents and inject unauthorized messages.

The root cause is inconsistent HMAC protection between the two reply paths and the lack of email authentication checks like SPF, DKIM, or DMARC, which makes it easier for spoofed emails to be accepted.

Impact Analysis

This vulnerability can have significant impacts on the integrity and trustworthiness of your help desk communications.

  • An attacker can impersonate a helpdesk agent by sending forged email replies that appear legitimate.
  • These forged replies are automatically forwarded to customers, potentially spreading misinformation or malicious content.
  • It can lead to unauthorized disclosure or manipulation of customer communications, damaging your organization's reputation.
  • Because the attack exploits missing verification and spoofed email addresses, it can be difficult to detect and prevent without proper email authentication mechanisms.
Detection Guidance

This vulnerability can be detected by monitoring incoming emails processed by FreeScout for suspicious Message-ID headers that follow the pattern notify-{thread_id}-{user_id}-... without proper HMAC verification.

Since the vulnerability involves spoofed emails that appear to come from helpdesk agents, checking email logs for messages with forged From addresses matching agent emails and Message-IDs lacking the expected hash can help identify exploitation attempts.

You can use commands to search mail server logs or FreeScout logs for suspicious Message-IDs or From addresses. For example:

  • grep -i 'notify-' /var/log/mail.log
  • grep -i 'From: [email protected]' /var/log/mail.log
  • grep -E 'notify-[0-9]+-[0-9]+' /path/to/freescout/storage/logs/laravel.log

Additionally, reviewing FreeScout's FetchEmails processing logs for errors related to missing or invalid HMAC hashes in Message-IDs can help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade FreeScout to version 1.8.220 or later, where the vulnerability is fixed by introducing HMAC verification on the Message-ID field for notification replies.

If upgrading immediately is not possible, consider implementing email authentication mechanisms such as SPF, DKIM, and DMARC to reduce the risk of spoofed emails being accepted by your mail server.

Additionally, monitor and restrict access to the mailboxes used by FreeScout to prevent unauthorized injection of emails.

Review and harden your mail server and FreeScout configurations to reject emails with suspicious or malformed Message-IDs that do not include the expected HMAC hash.

Compliance Impact

The vulnerability allows an external attacker to spoof helpdesk agent email replies, causing unauthorized messages to be forwarded to customers via the legitimate SMTP server. This can lead to integrity violations by injecting forged content into customer communications.

Such unauthorized message injection and potential data integrity compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and confidentiality in communications.

Additionally, the lack of email authentication checks (SPF/DKIM/DMARC) in FreeScout exacerbates the risk of spoofed emails being processed, increasing the likelihood of unauthorized data disclosure or manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart