PatchSiren cyber security CVE debrief

CVE-2026-47123 freescout-help-desk CVE debrief

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.220, the email processing pipeline in FreeScout's FetchEmails command contains a vulnerability in how agent (user) replies are identified. The notification reply path uses a Message-ID format of `notify-{thread_id}-{user_id}-...` and extracts `thread_id` and `user_id` directly from this header without HMAC verification. This allows an external attacker who can spoof the From address of a helpdesk agent to inject messages that FreeScout processes as legitimate agent replies. These spoofed replies are then automatically forwarded to customers via the legitimate SMTP server, potentially enabling impersonation and unauthorized communication with customers. The vulnerability is fixed in FreeScout version 1.8.220.

Vendor: freescout-help-desk
Product: freescout
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running FreeScout help desk instances, particularly those processing external email replies. Security teams responsible for email security infrastructure and helpdesk application security. System administrators managing FreeScout deployments who need to prioritize patching for email authentication vulnerabilities.

Technical summary

The vulnerability exists in FreeScout's FetchEmails command, specifically in the notification reply processing path. When processing email replies, FreeScout identifies agent responses through Message-ID headers using the pattern `notify-{thread_id}-{user_id}-...`. The extraction of `thread_id` and `user_id` from this header occurs without cryptographic verification (HMAC), allowing attackers to craft malicious Message-ID values. An attacker with the ability to spoof a helpdesk agent's From address can submit emails that FreeScout accepts as legitimate agent replies. These messages are then processed and forwarded to customers through the configured SMTP server, creating a spoofing and impersonation vector. The fix in version 1.8.220 implements proper verification mechanisms for these notification reply identifiers.

Defensive priority

HIGH

Recommended defensive actions

Upgrade FreeScout to version 1.8.220 or later to remediate this vulnerability.
Verify that your email infrastructure implements SPF, DKIM, and DMARC to reduce the risk of spoofed emails reaching your FreeScout instance.
Review email processing logs for suspicious activity involving agent reply notifications, particularly messages with unexpected Message-ID patterns.
Monitor for unauthorized communications sent from your helpdesk system to customers.

Evidence notes

CVE published 2026-05-29. CVSS 3.1 score 7.5 (HIGH). CWE-290 (Authentication Bypass by Spoofing) and CWE-345 (Insufficient Verification of Data Authenticity) identified. Fix commit d902f19038213c6a376947d269b00440908e88a0 addresses the vulnerability.

Official resources

2026-05-29