CVE-2026-40569: CWE-284: Improper Access Control in freescout-help-desk freescout
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
AI Analysis
Technical Summary
FreeScout before version 1.8.213 has a mass assignment vulnerability in the mailbox connection settings endpoints (`connectionIncomingSave()` and `connectionOutgoingSave()`) where `$request->all()` is passed directly to the mailbox model's `fill()` method without allowlisting fields. This allows an authenticated admin to overwrite any of the 32 fillable fields, including sensitive ones like `auto_bcc`, `out_server`, and `auto_reply_message`. Validation is insufficient or commented out, enabling injection of hidden parameters to silently BCC emails to an attacker, redirect SMTP traffic, and manipulate email content and auto-replies. This vulnerability is particularly dangerous in multi-admin setups or if an admin session is compromised, as it allows persistent unauthorized email surveillance and manipulation. The issue is fixed in version 1.8.213.
Potential Impact
An authenticated admin can silently exfiltrate outgoing emails by injecting an `auto_bcc` address, redirect outgoing SMTP traffic through attacker-controlled servers, and manipulate email signatures and auto-replies. This compromises confidentiality and integrity of email communications. The vulnerability enables persistent unauthorized access and surveillance of mailbox communications, especially in environments with multiple administrators or compromised admin sessions. The CVSS score of 9.0 reflects critical impact with high confidentiality and integrity loss and low attack complexity.
Mitigation Recommendations
Version 1.8.213 of FreeScout fixes this vulnerability by properly restricting mass assignment in mailbox connection settings endpoints. Users should upgrade to version 1.8.213 or later to remediate this issue. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly stated in the vendor advisory content but the description confirms the fix is included in version 1.8.213. Until upgraded, restrict admin access to trusted users only.
CVE-2026-40569: CWE-284: Improper Access Control in freescout-help-desk freescout
Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FreeScout before version 1.8.213 has a mass assignment vulnerability in the mailbox connection settings endpoints (`connectionIncomingSave()` and `connectionOutgoingSave()`) where `$request->all()` is passed directly to the mailbox model's `fill()` method without allowlisting fields. This allows an authenticated admin to overwrite any of the 32 fillable fields, including sensitive ones like `auto_bcc`, `out_server`, and `auto_reply_message`. Validation is insufficient or commented out, enabling injection of hidden parameters to silently BCC emails to an attacker, redirect SMTP traffic, and manipulate email content and auto-replies. This vulnerability is particularly dangerous in multi-admin setups or if an admin session is compromised, as it allows persistent unauthorized email surveillance and manipulation. The issue is fixed in version 1.8.213.
Potential Impact
An authenticated admin can silently exfiltrate outgoing emails by injecting an `auto_bcc` address, redirect outgoing SMTP traffic through attacker-controlled servers, and manipulate email signatures and auto-replies. This compromises confidentiality and integrity of email communications. The vulnerability enables persistent unauthorized access and surveillance of mailbox communications, especially in environments with multiple administrators or compromised admin sessions. The CVSS score of 9.0 reflects critical impact with high confidentiality and integrity loss and low attack complexity.
Mitigation Recommendations
Version 1.8.213 of FreeScout fixes this vulnerability by properly restricting mass assignment in mailbox connection settings endpoints. Users should upgrade to version 1.8.213 or later to remediate this issue. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly stated in the vendor advisory content but the description confirms the fix is included in version 1.8.213. Until upgraded, restrict admin access to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-14T13:24:29.474Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7b0e319fe3cd2cde9a462
Added to database: 4/21/2026, 5:16:19 PM
Last enriched: 4/21/2026, 5:32:30 PM
Last updated: 4/22/2026, 6:59:37 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.