CVE-2026-47123
Published: 29 May 2026
Summary
CVE-2026-47123 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Vulcoord (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33440
Vulnerability details
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers.…
more
The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct email spoofing of agent From addresses and impersonation of legitimate replies due to missing HMAC verification on Message-ID headers (CWE-290/345).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.
Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses.
Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.
Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.
Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.
Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.
Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.
Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.