CVE-2026-47123
HIGHFreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path
Title source: cnaDescription
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6r38-6mcf-2ww3
X_Refsource_Misc x_refsource_misc
https://github.com/freescout-help-desk/freescout/commit/d902f19038213c6a376947d269b00440908e88a0
Scores
CVSS v3
7.5
EPSS
0.0014
EPSS Percentile
3.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-290
CWE-345
Status
published
Products (1)
freescout-help-desk/freescout
< 1.8.220
Published
May 29, 2026
Tracked Since
May 30, 2026