Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47123

CVE-2026-47123: FreeScout Auth Bypass Vulnerability

CVE-2026-47123 is an authentication bypass flaw in FreeScout that allows attackers to spoof agent replies and inject messages into customer communications. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47123 Overview

CVE-2026-47123 is an authentication bypass vulnerability in FreeScout, a free help desk and shared inbox application built on PHP's Laravel framework. The flaw resides in the FetchEmails command's email processing pipeline. FreeScout uses two code paths to identify agent replies based on In-Reply-To and References headers. The notification reply path parses thread_id and user_id directly from the Message-ID without verifying the embedded HMAC. An attacker who spoofs the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies. FreeScout then forwards those messages to customers through the configured SMTP server. The issue is fixed in FreeScout 1.8.220 and is classified under [CWE-290] (Authentication Bypass by Spoofing).

Critical Impact

Attackers can impersonate helpdesk agents and deliver attacker-controlled content to customers through the victim organization's legitimate SMTP infrastructure.

Affected Products

  • FreeScout versions prior to 1.8.220
  • FreeScout help desk and shared inbox (Laravel-based)
  • Deployments processing inbound email via the FetchEmails command

Discovery Timeline

  • 2026-05-29 - CVE-2026-47123 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-47123

Vulnerability Analysis

FreeScout matches inbound email replies to existing conversations using the In-Reply-To and References MIME headers. One of the matching paths recognizes notification-style identifiers in the format notify-{thread_id}-{user_id}-.... When FreeScout encounters this pattern, it extracts the thread_id and user_id values and treats the inbound message as a reply authored by that agent. The reply is then appended to the conversation and automatically forwarded to the customer associated with the thread via the outbound SMTP server.

The legitimate generation path for these Message-IDs includes an HMAC component intended to prove that FreeScout itself originated the identifier. The vulnerable parsing path does not validate this HMAC. Combined with insufficient validation of the From address, the system accepts spoofed messages as authentic agent communications.

Root Cause

The root cause is missing cryptographic verification of trust-bearing identifiers. The notification reply handler trusts the structure of the Message-ID without recomputing or comparing the HMAC that authenticates thread_id and user_id. This maps directly to [CWE-290], where the system relies on an attacker-controllable claim of identity rather than a verified credential.

Attack Vector

Exploitation requires the attacker to send an email to the FreeScout-monitored mailbox with a crafted In-Reply-To or References header matching the notify-{thread_id}-{user_id}-... pattern. The attacker must also spoof the From address to match a known agent. Valid thread_id and user_id values can be inferred from prior interactions, harvested from leaked emails, or brute-forced given that they are sequential integers. Once accepted, FreeScout posts the message into the conversation and relays it to the customer using the organization's SMTP server, lending the attacker credibility and bypassing recipient-side anti-spoofing controls.

No verified exploit code is publicly available. See the GitHub Security Advisory and the upstream commit for the authoritative technical description.

Detection Methods for CVE-2026-47123

Indicators of Compromise

  • Inbound messages whose In-Reply-To or References headers contain notify-{thread_id}-{user_id}- patterns but originate from external SMTP infrastructure.
  • Mismatch between the envelope sender, the From header, and the agent identity referenced by the Message-ID.
  • Outbound FreeScout messages relayed to customers shortly after receipt of a suspect inbound email, without a corresponding agent login session.

Detection Strategies

  • Compare the HMAC segment of inbound notification Message-IDs against the value FreeScout would generate for the referenced thread_id and user_id; flag mismatches.
  • Alert on SPF, DKIM, and DMARC failures for inbound mail whose From address matches an internal agent account.
  • Correlate FreeScout conversation events with agent web session activity to identify replies posted without an authenticated agent session.

Monitoring Recommendations

  • Log every Message-ID parsed by the FetchEmails command alongside the resolved user_id and authentication decision.
  • Monitor outbound SMTP volume per agent and alert on anomalous spikes that may indicate automated impersonation.
  • Forward FreeScout application and mail server logs to a centralized analytics platform for cross-source correlation.

How to Mitigate CVE-2026-47123

Immediate Actions Required

  • Upgrade FreeScout to version 1.8.220 or later, which enforces HMAC verification on the notification reply path.
  • Enforce DMARC with a reject policy for the organizational domain to block spoofed agent From addresses at the mail gateway.
  • Audit recent conversations for replies that were delivered to customers without a matching agent web session.

Patch Information

The maintainers fixed the issue in FreeScout 1.8.220. The remediation is published in the GitHub Security Advisory GHSA-6r38-6mcf-2ww3 and applied in the upstream commit d902f19. The fix adds HMAC validation to the notification reply identifier path so that spoofed Message-IDs are rejected.

Workarounds

  • Restrict the inbound mailbox FreeScout polls to accept mail only from authenticated relays or trusted IP ranges.
  • Configure the mail gateway to drop or quarantine inbound messages whose From domain matches the organization's own domain but fail SPF or DKIM.
  • Temporarily disable the notification reply matching path if operationally feasible, forcing FreeScout to rely on the alternate reply identification logic until patched.
bash
# Configuration example: upgrade FreeScout to the patched release
cd /var/www/freescout
sudo -u www-data git fetch --tags
sudo -u www-data git checkout 1.8.220
sudo -u www-data php artisan freescout:after-app-update
sudo systemctl restart php-fpm nginx

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne