How is CVE-2026-47123 exploited?

Network reachability (required): The attacker must be able to deliver email to the inbox FreeScout polls, reaching the service over the network via SMTP. Authentication (not-required): No FreeScout account or credentials are needed; the attacker only needs to spoof an agent's From address on an inbound message. Victim interaction (not-required): FreeScout processes the spoofed message automatically through FetchEmails and forwards it to the customer without any agent or admin action. Attack complexity (info): Complexity is rated High: the attacker must know or guess valid thread_id and user_id values and bypass any sender-side SPF, DKIM, or DMARC enforcement to land the spoofed mail.

What is the impact of CVE-2026-47123?

Sends arbitrary messages to customers from a real agent identity using the helpdesk's legitimate SMTP server, enabling phishing and social engineering under a trusted brand. Injects forged replies into existing support threads, tampering with the conversation record customers and agents rely on. Damages the integrity of the help desk audit trail, since spoofed messages are stored as genuine agent replies.

Back to search

HIGHCVE-2026-47123Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-47123: FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies — which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an agent impersonation flaw in FreeScout, a PHP/Laravel help desk application, caused by missing HMAC verification on the notification reply Message-ID path in the FetchEmails command. The bug is reachable over the network without authentication: an attacker who can spoof a helpdesk agent's From address can inject email that FreeScout treats as a legitimate agent reply, then forwards to the customer through the configured SMTP server. Successful exploitation lets the attacker send messages to customers under a real agent identity via the helpdesk's own infrastructure. A patched-image rebuild at 1.8.220 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: this CVE is ingested from upstream feeds within minutes of publication and matched against FreeScout images in customer registries and CI pipelines. Coverage includes custom-built images that bundle or extend FreeScout, not just official upstream tags.

Available

Triage

Triage is available with the published CVSS v3.1 score of 7.5 (HIGH) weighted against each environment's compliance policy, so help desk and customer-trust workloads can be escalated above default thresholds. Findings are routed to the configured security or platform inbox inside each customer org.

Available

Patch

A patched-image rebuild at FreeScout 1.8.220 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, regression-tested, and a PR is opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to deliver email to the inbox FreeScout polls, reaching the service over the network via SMTP.
AuthenticationNot required
No FreeScout account or credentials are needed; the attacker only needs to spoof an agent's From address on an inbound message.
Victim interactionNot required
FreeScout processes the spoofed message automatically through FetchEmails and forwards it to the customer without any agent or admin action.
Attack complexityDetail
Complexity is rated High: the attacker must know or guess valid thread_id and user_id values and bypass any sender-side SPF, DKIM, or DMARC enforcement to land the spoofed mail.

Blast Radius

Sends arbitrary messages to customers from a real agent identity using the helpdesk's legitimate SMTP server, enabling phishing and social engineering under a trusted brand.
Injects forged replies into existing support threads, tampering with the conversation record customers and agents rely on.
Damages the integrity of the help desk audit trail, since spoofed messages are stored as genuine agent replies.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at FreeScout 1.8.220 is published for affected environments, and customers with auto-remediation enabled get an automatic rebuild, regression test run, and PR opened against workloads still on a vulnerable version. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. For environments where compliance policy requires manual change control, the rebuild is staged and held pending approval, and compensating controls such as enforcing strict SPF, DKIM, and DMARC on the polled mailbox and restricting inbound mail sources can reduce exposure until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

freescout-help-desk / freescout
< 1.8.220

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

References