CVE-2026-40569
Published: 21 April 2026
Summary
CVE-2026-40569 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates input validation mechanisms at API endpoints to whitelist fields and block mass assignment of unauthorized parameters like auto_bcc.
Requires timely flaw remediation by applying the FreeScout 1.8.213 patch that fixes the mass assignment vulnerability in mailbox controllers.
Restricts and authorizes changes to mailbox configuration settings, preventing admins from overwriting security-critical fields via unvalidated inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Mass assignment allows direct unauthorized modification of Mailbox model fields, enabling stored data manipulation (T1565.001), transmitted data manipulation via signatures/auto-replies (T1565.002), content injection of phishing/tracking elements (T1659), and auto_bcc forwarding rules for email collection/exfiltration (T1114.003).
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398). Both methods pass `$request->all()` directly…
more
to `$mailbox->fill()` without any field allowlisting, allowing an authenticated admin to overwrite any of the 32 fields in the Mailbox model's `$fillable` array -- including security-critical fields that do not belong to the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation in `connectionIncomingSave()` is entirely commented out, and the validator in `connectionOutgoingSave()` only checks value formats for SMTP fields without stripping extra parameters. An authenticated admin user can exploit this by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. Because the `auto_bcc` field is not displayed on the connection settings form (it only appears on the general mailbox settings page), the injection is invisible to other administrators reviewing connection settings. Once set, every outgoing email from the affected mailbox is silently BCC'd to the attacker via the `SendReplyToCustomer` job. The same mechanism allows redirecting outgoing SMTP through an attacker-controlled server, injecting tracking pixels or phishing links into email signatures, and enabling attacker-crafted auto-replies -- all from a single HTTP request. This is particularly dangerous in multi-admin environments where one admin can silently surveil mailboxes managed by others, and when an admin session is compromised via a separate vulnerability (e.g., XSS), the attacker gains persistent email exfiltration that survives session expiry. Version 1.8.213 fixes the issue.
Deeper analysisAI
CVE-2026-40569 is a mass assignment vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application. Versions prior to 1.8.213 are vulnerable in the mailbox connection settings endpoints, specifically the `connectionIncomingSave()` method at `app/Http/Controllers/MailboxesController.php:468` and `connectionOutgoingSave()` at line 398. These methods pass `$request->all()` directly to `$mailbox->fill()` without field allowlisting, enabling overwriting of any of the 32 fields in the Mailbox model's `$fillable` array. This includes security-critical fields outside the connection settings form, such as `auto_bcc`, `out_server`, `out_password`, `signature`, `auto_reply_enabled`, and `auto_reply_message`. Validation is absent or insufficient, with `connectionIncomingSave()` having commented-out checks and `connectionOutgoingSave()` only validating SMTP field formats without stripping extras.
An authenticated administrator can exploit this vulnerability by appending hidden parameters (e.g., `auto_bcc=attacker@evil.com`) to a legitimate connection settings save request. This invisibly injects values since fields like `auto_bcc` are not shown on the connection form, evading detection by other admins. Successful exploitation enables silent BCC'ing of every outgoing email from the mailbox to the attacker via the `SendReplyToCustomer` job, redirection of outgoing SMTP through an attacker-controlled server, injection of tracking pixels or phishing links into signatures, and enabling attacker-crafted auto-replies—all from one HTTP request. In multi-admin setups, a single compromised admin can surveil others' mailboxes; if triggered via XSS, it provides persistent email exfiltration surviving session expiry. The CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L), linked to CWE-284 and CWE-915.
FreeScout version 1.8.213 addresses the issue, as detailed in the project's security advisory (GHSA-hmqm-33wp-858j), release notes, and fixing commit (f45b9105d43b0352c08fcca154e8ae6177c3d860). Security practitioners should upgrade to 1.8.213 or later and review Mailbox configurations for unauthorized changes in affected instances.
Details
- CWE(s)