freescout-help-desk freescout up to 1.8.212 Connection Test fsockopen server-side request forgery

Summaryinfo

A vulnerability identified as critical has been detected in freescout-help-desk freescout up to 1.8.212. The affected element is the function fsockopen of the component Connection Test. This manipulation causes server-side request forgery. This vulnerability is tracked as CVE-2026-40566. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in freescout-help-desk freescout up to 1.8.212. Affected by this vulnerability is the function fsockopen of the component Connection Test. The manipulation with an unknown input leads to a server-side request forgery vulnerability. The CWE definition for the vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-40566 since 04/14/2026. The exploitation appears to be easy. The attack can be launched remotely. Additional levels of successful authentication are required for exploitation. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 1.8.213 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• freescout-help-desk

Name

• freescout

Version

• 1.8.212

Website

• Product: https://github.com/freescout-help-desk/freescout/

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion