CVE-2026-42865

UNKNOWN 0.0

Inbox Zero: Cross-account cleaner email stream exposure

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This vulnerability is fixed in 2.29.3.

CWE	CWE-200
Vendor	elie222
Product	inbox-zero
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for elie222 inbox-zero

Be the first to know when new unknown vulnerabilities affecting elie222 inbox-zero are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

elie222 / inbox-zero

< 2.29.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/elie222/inbox-zero/security/advisories/GHSA-f3gp-v7cj-2569 github.com: https://github.com/elie222/inbox-zero/commit/02341923b5460ce9630c4681a9b6461ba466688a