CVE-2026-42865
2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elie222 | inbox-zero | < 2.29.3 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/elie222/inbox-zero/security/advisories/GHSA-f3gp-v7cj-2569
- https://github.com/elie222/inbox-zero/commit/02341923b5460ce9630c4681a9b6461ba466688a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.