PatchSiren cyber security CVE debrief

CVE-2026-42865 elie222 CVE debrief

CVE-2026-42865 is a low-severity information exposure issue in Inbox Zero’s cleaner email stream endpoint. According to the vendor advisory and NVD, versions before 2.29.3 used a shared Redis subscription listener that could deliver thread events from one authenticated account to another authenticated account when the cleaner feature was used at the same time. The issue was fixed in 2.29.3.

Vendor: elie222
Product: inbox-zero
CVSS: LOW 2.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-11
Original CVE updated: 2026-05-21
Advisory published: 2026-05-11
Advisory updated: 2026-05-21

Who should care

Administrators and operators of Inbox Zero deployments, especially environments where multiple authenticated users can use the cleaner feature concurrently. Security teams should prioritize this if the application handles sensitive email metadata or thread information.

Technical summary

The vulnerable behavior involved a shared Redis subscription listener behind the cleaner email stream endpoint. Under concurrent use, thread events intended for one authenticated account could be delivered to another authenticated account. The advisory identifies this as a confidentiality problem (CWE-200) with no indicated integrity or availability impact. NVD lists the issue as fixed by excluding versions 2.29.3 and later.

Defensive priority

Low. The issue is publicly disclosed and patched, but the reported impact is limited to cross-account information exposure. Upgrade to the fixed release as part of routine security maintenance, and prioritize faster action if the deployment is multi-user or handles sensitive mailbox data.

Recommended defensive actions

Upgrade Inbox Zero to version 2.29.3 or later.
Verify that all deployed instances are no longer running a vulnerable version prior to 2.29.3.
Review whether the cleaner feature is used by multiple authenticated users and, if so, treat cross-account event handling as a confidentiality risk until patched.
Check for any local hardening or deployment patterns that could increase the chance of concurrent access to the cleaner stream and reduce exposure where possible.
Track the vendor advisory and release notes for any follow-up fixes or related issues.

Evidence notes

The description and advisory metadata state that Inbox Zero versions prior to 2.29.3 were affected and that the issue was fixed in 2.29.3. The NVD record associates the vulnerability with a shared Redis subscription listener causing thread events for one authenticated account to be delivered to another authenticated account during concurrent cleaner feature use. NVD lists the vulnerability as CVSS 4.0 2.3 (LOW) and the primary weakness as CWE-200. Published and modified timestamps in the supplied record are 2026-05-11T18:16:36.683Z and 2026-05-21T18:03:57.447Z.

Official resources

CVE-2026-42865 CVE record
CVE.org
CVE-2026-42865 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Publicly disclosed on 2026-05-11T18:16:36.683Z and modified on 2026-05-21T18:03:57.447Z. The supplied record does not include a KEV listing.