CVE-2026-40569 - Vulnerability Analysis

Overview

FreeScout < 1.8.213 contains a mass assignment vulnerability caused by lack of field allowlisting in mailbox connection settings endpoints, letting authenticated admins silently manipulate mailbox fields to exfiltrate emails or redirect SMTP, exploit requires authenticated admin privileges.

Severity & Score

Impact

Authenticated admins can silently exfiltrate emails, redirect SMTP, or inject malicious content, compromising confidentiality and integrity of mailbox communications.

Mitigation

Upgrade to version 1.8.213 or later.

References

• https://github.com/freescout-help-desk/freescout/commit/f45b9105d43b0352c08fcca154e8ae6177c3d860
• https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213
• https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hmqm-33wp-858j

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 21, 2026

🔴 CVE-2026-40569 - Critical (9) FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesCo... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40569/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner