CVE-2026-40566 Overview
CVE-2026-40566 is a Server-Side Request Forgery (SSRF) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application. The vulnerability exists in the IMAP/SMTP connection test functionality within FreeScout's MailboxesController, allowing authenticated administrators to abuse the connection testing feature to probe internal network resources and cloud metadata endpoints.
The vulnerability stems from three AJAX actions—fetch_test (line 731), send_test (line 682), and imap_folders (line 773)—in app/Http/Controllers/MailboxesController.php that pass admin-configured server and port values directly to fsockopen() via Helper::checkPort() and to IMAP/SMTP client connections without any SSRF protection mechanisms.
Critical Impact
Authenticated administrators can leverage this SSRF vulnerability to perform internal network port scanning, service fingerprinting, and potentially leak cloud metadata from endpoints like 169.254.169.254. Service banners and error responses are captured in IMAP debug logs and returned in AJAX responses.
Affected Products
- FreeScout versions prior to 1.8.213
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40566 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40566
Vulnerability Analysis
This SSRF vulnerability allows an authenticated admin to configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via fsockopen()) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target.
The vulnerability is particularly concerning because it operates as a semi-blind SSRF—while direct response content isn't fully returned, the response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's log field, enabling service fingerprinting.
In cloud environments, the metadata endpoint at 169.254.169.254 can be probed and partial response data may be leaked through protocol error messages, potentially exposing sensitive cloud configuration data, IAM credentials, or instance metadata.
Root Cause
The root cause is a complete lack of SSRF protection in the connection testing functionality. Specifically:
- No IP validation is performed on user-supplied server addresses
- No hostname restrictions or blocklists for internal ranges (RFC 1918, link-local addresses)
- No utilization of the project's own sanitizeRemoteUrl() or checkUrlIpAndHost() functions
- The validation block in connectionIncomingSave() is entirely commented out
The in_server/in_port and out_server/out_port values from admin configuration are passed directly to network functions without sanitization. This is distinct from the sanitizeRemoteUrl() redirect bypass vulnerability—it involves a different code path, different root cause, and operates at a different protocol layer.
Attack Vector
An attacker with administrative access to FreeScout can exploit this vulnerability through the mailbox configuration interface:
- Access the mailbox settings and configure the IMAP or SMTP server to point to an internal target (e.g., 127.0.0.1, 192.168.x.x, or 169.254.169.254)
- Specify the target port to probe
- Trigger a connection test via one of the vulnerable AJAX actions
- Observe the response to determine port state (open/closed) and capture service banners from the debug log
The vulnerability is exploitable over the network and requires high privileges (administrator access). While the scope is changed (affecting resources beyond the vulnerable component), confidentiality impact is limited to partial information disclosure through error messages and service banners.
Detection Methods for CVE-2026-40566
Indicators of Compromise
- Unusual outbound connections from the FreeScout server to internal network ranges (RFC 1918 addresses)
- Connection attempts to cloud metadata endpoints (169.254.169.254)
- Mailbox configurations with internal IP addresses or localhost as IMAP/SMTP servers
- High frequency of connection test AJAX requests from administrative sessions
Detection Strategies
- Monitor web application logs for requests to /mailboxes/*/fetch_test, /mailboxes/*/send_test, and /mailboxes/*/imap_folders endpoints
- Implement network-level monitoring for FreeScout server connections to internal IP ranges or sensitive endpoints
- Review mailbox configurations for suspicious server entries pointing to internal resources
- Alert on connection attempts to port 80/443 on cloud metadata IP addresses from application servers
Monitoring Recommendations
- Deploy web application firewall rules to detect SSRF patterns in mailbox configuration parameters
- Enable detailed logging for the MailboxesController class to capture connection test activities
- Implement egress filtering to restrict FreeScout server's ability to connect to internal networks
- Configure SIEM alerts for connection patterns consistent with port scanning behavior
How to Mitigate CVE-2026-40566
Immediate Actions Required
- Upgrade FreeScout to version 1.8.213 or later immediately
- Audit existing mailbox configurations for any suspicious server addresses pointing to internal resources
- Review administrative access logs for signs of exploitation
- Consider implementing network segmentation to limit the FreeScout server's access to internal resources
Patch Information
FreeScout version 1.8.213 addresses this vulnerability. The fix is available through:
For complete vulnerability details, refer to the GitHub Security Advisory GHSA-fg98-rgx6-8x4g.
Workarounds
- Restrict administrative access to trusted users only until patching is complete
- Implement network-level egress filtering to prevent the FreeScout server from connecting to internal IP ranges and cloud metadata endpoints
- Deploy a web application firewall with SSRF detection rules to block requests containing internal IP addresses in server configuration fields
- Consider disabling the connection test functionality at the web server level by blocking the vulnerable AJAX endpoints until the patch can be applied
# Example: Block access to vulnerable endpoints using .htaccess (temporary mitigation)
# Add to FreeScout's .htaccess file
# Block connection test endpoints until patched
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^mailboxes/.*/fetch_test$ - [F,L]
RewriteRule ^mailboxes/.*/send_test$ - [F,L]
RewriteRule ^mailboxes/.*/imap_folders$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
