Cyber Resilience

CVE-2026-47123

HighUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.0014 4.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-47123 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Vulcoord (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers.…

more

The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Vulnerability enables direct email spoofing of agent From addresses and impersonation of legitimate replies due to missing HMAC verification on Message-ID headers (CWE-290/345).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Vulcoord
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-290 CWE-345

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

addresses: CWE-290 CWE-345

Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses.

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

References