CVE-2026-42865: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in elie222 inbox-zero
Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.
AI Analysis
Technical Summary
Inbox Zero versions before 2.29.3 have a vulnerability where the cleaner email stream endpoint uses a shared Redis subscription listener. This design flaw allows thread events from one authenticated account to be delivered to another authenticated account concurrently using the cleaner feature, leading to unauthorized exposure of sensitive information. The issue is categorized under CWE-200 (Exposure of Sensitive Information). The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity. The fix is implemented in version 2.29.3.
Potential Impact
The vulnerability allows sensitive email thread events from one authenticated user to be exposed to another authenticated user using the cleaner feature at the same time. This could lead to unauthorized disclosure of email content or metadata between users of the inbox-zero application. There is no indication of remote unauthenticated exploitation or privilege escalation. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade inbox-zero to version 2.29.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor stating the issue is fixed in 2.29.3. No other mitigation steps are indicated.
CVE-2026-42865: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in elie222 inbox-zero
Description
Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Inbox Zero versions before 2.29.3 have a vulnerability where the cleaner email stream endpoint uses a shared Redis subscription listener. This design flaw allows thread events from one authenticated account to be delivered to another authenticated account concurrently using the cleaner feature, leading to unauthorized exposure of sensitive information. The issue is categorized under CWE-200 (Exposure of Sensitive Information). The vulnerability has a CVSS 4.0 base score of 2.3, indicating low severity. The fix is implemented in version 2.29.3.
Potential Impact
The vulnerability allows sensitive email thread events from one authenticated user to be exposed to another authenticated user using the cleaner feature at the same time. This could lead to unauthorized disclosure of email content or metadata between users of the inbox-zero application. There is no indication of remote unauthenticated exploitation or privilege escalation. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade inbox-zero to version 2.29.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor stating the issue is fixed in 2.29.3. No other mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.380Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a021aa3cbff5d8610430399
Added to database: 5/11/2026, 6:06:27 PM
Last enriched: 5/11/2026, 6:23:44 PM
Last updated: 5/12/2026, 2:53:41 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.