HIGH 7.5

CVE-2026-47123: FreeScout Email Spoofing Vulnerability – High-Severity Patch Available

FreeScout, a PHP-based help desk platform, contains a flaw in how it processes incoming email replies. Attackers who can forge the sender address of a help desk agent can trick FreeScout into treating their messages as legitimate agent responses. Because the system doesn't cryptographically verify these replies, the spoofed messages get automatically forwarded to customers using the real help desk email account. This means attackers could impersonate support staff and send messages to your customers without proper authorization.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Weaknesses (CWE)
CWE-290, CWE-345
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47123 exists in FreeScout's email processing pipeline, specifically in the FetchEmails command's notification reply path. The vulnerability stems from insufficient validation of the In-Reply-To and References email headers. When processing incoming messages, FreeScout extracts thread_id and user_id from a specially-crafted Message-ID pattern (notify-{thread_id}-{user_id}-...) without verifying the HMAC signature that should authenticate these identifiers. An attacker controlling or spoofing a sender address can craft a message that matches the expected reply pattern, bypassing the intended authentication mechanism. The message is then processed as a legitimate agent response and relayed to customers via SMTP, allowing unauthorized third-party message injection into customer conversations.

Business impact

This vulnerability creates a significant reputational and operational risk for FreeScout deployments. An attacker can send messages to customers while appearing to come from your support team, damaging customer trust and potentially leading to social engineering attacks, credential harvesting, or malware distribution under the guise of official support. Affected organizations may face customer complaints, brand erosion, and potential liability if sensitive information is compromised or fraudulent guidance is provided. The impact is heightened in security-conscious or regulated industries where communication integrity is critical.

Affected systems

FreeScout versions prior to 1.8.220 are affected. The vulnerability is specific to the email reply processing logic and affects any deployment that uses the FetchEmails command to ingest incoming mail, which is the standard operational mode for most FreeScout installations.

Exploitability

The vulnerability is remotely exploitable without authentication or user interaction. An attacker must be able to forge or control the From address in an email sent to the FreeScout inbox, a capability that requires either network access to relay infrastructure or compromise of email infrastructure upstream of FreeScout. The CVSS score of 7.5 (HIGH) reflects the network-based attack surface and the integrity impact on customer communications, though the AC:H (Attack Complexity: High) rating reflects the practical difficulty of reliably spoofing sender addresses in many email environments.

Remediation

Upgrade FreeScout to version 1.8.220 or later. This release implements HMAC verification for the thread_id and user_id parameters extracted from the Message-ID header, ensuring only legitimately-generated reply patterns are processed as agent responses. Organizations should test the upgrade in a staging environment first, then schedule deployment during a maintenance window to minimize disruption to help desk operations.

Patch guidance

Apply FreeScout version 1.8.220 immediately. No interim mitigations are documented. Because this affects core email processing functionality, the upgrade should be planned carefully to avoid email processing downtime. Verify your current version in the FreeScout admin panel (typically under Settings > About). Backup your database and configuration before upgrading. The upgrade process typically preserves all conversations and user data; consult the FreeScout upgrade documentation for your specific deployment method (Docker, standalone, etc.).

Detection guidance

Monitor FreeScout logs for unusual patterns in the FetchEmails command output or email processing pipeline. Look for messages that claim to be agent replies but originate from unexpected external email addresses or contain anomalous Message-ID headers. Check customer communication logs for messages that appear to come from your support team but were not authored by any user in your system. Implement email authentication (SPF, DKIM, DMARC) at your email gateway to reduce the likelihood of successful From address spoofing before messages reach FreeScout. Review any customer-reported 'unexpected messages from support' during the period before patching.

Why prioritize this

This vulnerability merits immediate patching due to its HIGH severity, remote exploitability, and direct impact on customer trust and communication integrity. The attack does not require authentication or user interaction, and successful exploitation immediately damages your organization's credibility with customers. The integrity impact (confidential information could be fraudulently communicated) combined with the cross-component nature (messages are relayed to customers via legitimate SMTP) elevates business risk significantly. Organizations running FreeScout should treat this as a critical priority.

Risk score, explained

CVSS 3.1 score of 7.5 reflects: Network-based attack vector (AV:N) requiring only internet connectivity; Attack Complexity: High due to the need to spoof email addresses, which varies by infrastructure; No privileges required (PR:N); No user interaction needed (UI:N); Scope: Changed because the impact affects systems beyond the vulnerable component (customer inboxes); Confidentiality impact: Low (attackers do not directly extract data from FreeScout); Integrity impact: High (attackers can inject unauthorized messages into customer communication). The HIGH severity appropriately captures the threat to operational integrity despite the AC:H mitigation factor.

Frequently asked questions

Can attackers steal customer data directly through this vulnerability?

No. This vulnerability allows injection of unauthorized messages into customer conversations, but does not grant direct access to FreeScout's database or customer records. However, attackers could use injected messages to phish customers or direct them to malicious sites, indirectly leading to data compromise.

Does our email authentication (SPF/DKIM) protect us if we run FreeScout?

Email authentication helps reduce (but does not eliminate) the likelihood of successful spoofing at your email gateway. However, if an attacker has access to your email infrastructure or can relay mail through a compromised account, they can still craft valid authenticated messages that FreeScout will misprocess. The vulnerability in FreeScout is independent of email authentication and must be fixed in the application itself.

What if we cannot upgrade immediately?

The core issue is in the email processing logic itself, and no effective workaround is known. Consider temporarily disabling the FetchEmails command if possible, or manually reviewing and re-approving agent reply-related messages before they are forwarded to customers. However, these are operational band-aids—upgrading to 1.8.220 should be the immediate priority.

Does this affect FreeScout's REST API or ticket management, or only incoming email?

The vulnerability is specific to the email processing pipeline (FetchEmails command). If you use FreeScout primarily through the web interface or API to create and manage tickets, this vulnerability does not directly affect those channels. However, most help desk deployments rely on email integration, so the risk is high for typical installations.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co makes no warranty as to the accuracy, completeness, or applicability of this information to your specific environment. Verify all technical details, version numbers, and patch availability against official FreeScout documentation and advisories before implementing any changes. Testing in a non-production environment is strongly recommended. Consult with your organization's change management and incident response teams before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).