CVE-2026-40566: CWE-918: Server-Side Request Forgery (SSRF) in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
AI Analysis
Technical Summary
CVE-2026-40566 is an SSRF vulnerability in FreeScout's MailboxesController affecting versions before 1.8.213. The vulnerability arises because admin-configured IMAP/SMTP server and port values are passed directly to fsockopen() and IMAP/SMTP client connections without IP validation, hostname restrictions, or internal range blocklists. The connection test AJAX actions fetch_test, send_test, and imap_folders enable an authenticated admin to cause the server to open TCP and protocol-level connections to arbitrary internal targets. Responses reveal open or closed ports and capture service banners or error messages, enabling internal port scanning and service fingerprinting. In cloud environments, the metadata endpoint at 169.254.169.254 can be probed, potentially leaking partial data. The vulnerability is distinct from other redirect bypass issues and was fixed in FreeScout version 1.8.213.
Potential Impact
An authenticated administrator can exploit this vulnerability to perform SSRF attacks that allow internal network port scanning and service fingerprinting. This can expose internal services and cloud metadata endpoints, potentially leaking sensitive information. The CVSS score of 4.1 reflects a medium severity with low confidentiality impact, no integrity or availability impact, and requires high privileges (admin) to exploit.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where this SSRF vulnerability has been patched. Since this is a self-hosted product, administrators must apply the update to remediate the issue. No vendor advisory content contradicts this; therefore, patching is the recommended and effective mitigation.
CVE-2026-40566: CWE-918: Server-Side Request Forgery (SSRF) in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40566 is an SSRF vulnerability in FreeScout's MailboxesController affecting versions before 1.8.213. The vulnerability arises because admin-configured IMAP/SMTP server and port values are passed directly to fsockopen() and IMAP/SMTP client connections without IP validation, hostname restrictions, or internal range blocklists. The connection test AJAX actions fetch_test, send_test, and imap_folders enable an authenticated admin to cause the server to open TCP and protocol-level connections to arbitrary internal targets. Responses reveal open or closed ports and capture service banners or error messages, enabling internal port scanning and service fingerprinting. In cloud environments, the metadata endpoint at 169.254.169.254 can be probed, potentially leaking partial data. The vulnerability is distinct from other redirect bypass issues and was fixed in FreeScout version 1.8.213.
Potential Impact
An authenticated administrator can exploit this vulnerability to perform SSRF attacks that allow internal network port scanning and service fingerprinting. This can expose internal services and cloud metadata endpoints, potentially leaking sensitive information. The CVSS score of 4.1 reflects a medium severity with low confidentiality impact, no integrity or availability impact, and requires high privileges (admin) to exploit.
Mitigation Recommendations
Upgrade FreeScout to version 1.8.213 or later, where this SSRF vulnerability has been patched. Since this is a self-hosted product, administrators must apply the update to remediate the issue. No vendor advisory content contradicts this; therefore, patching is the recommended and effective mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-14T13:24:29.474Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7a64f19fe3cd2cde569c8
Added to database: 4/21/2026, 4:31:11 PM
Last enriched: 4/21/2026, 4:46:39 PM
Last updated: 4/22/2026, 6:07:09 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.